Problem solve Get help with specific problems with your technologies, process and projects.

Persuading users to comply with e-mail security

Is there any way to keep a network safe from receiving loaded e-mails? I work in a hospital and have viruses popping up in all sorts of locations. A big portion of e-mails we get are from other hospitals, so the problem is wide spread. I have tried repeatedly to advise users to beware of any and all e-mails that they receive -- to scan them first before opening them -- but for some unknown reason these people don't seem to get the point or don't care. We have installed filters that allow us to screen out potential carriers of viruses but this doesn't always work either and is very time consuming. What can be done short of removing all e-mail privileges?

You're not alone in facing this problem. User behavior is still one of the most serious security threats, especially to the medical community.

Even with good antivirus software that should identify infected e-mails, many users will ignore the warnings. A firewall on every computer could help too, at least to minimize infection by Trojan horse programs and block any communication between the creator of the code and computer it has infected. Personal firewalls like ZoneAlarm and Tiny are affordable and very effective.

Assuming that you have proper antivirus software in place on every computer that's used for the hospital (inside and out) and regularly update your antivirus definitions (the maker of the antivirus software should offer this service), then the next challenge is changing behavior.

The best way to change user behavior is to show users the drastic consequences of ignoring the rules:

Consequences for the hospital

The virus community has often talked about smart viruses and other code that can be targeted at hospitals and which are capable of wiping out patient medial records and critical research data. Other malicious programs can be designed to seek out and interfere with hospital equipment, perhaps even switching off life-support systems. Imagine the consequences to the patients, hospital and staff if such an incident occurred, one which could have been prevented by a little more care. The creator of the virus may not have deliberately targeted the hospital. Or the virus author may be a previous patient with a grudge, or simply a malcontent looking for publicity.

Consequences for staff

Employers and courts have become far less tolerant of risky behavior by employees, and the excuse of "I didn't know" is no longer a safe defense. Staff who are careless about the way they deal with e-mail in such a sensitive environment, and who have already been warned, may face the risk of discipline, dismissal, a civil action and perhaps even criminal charges, if their negligent behavior harms a patient.

Staff with dangerous biological infections, such as Hepatitis C, understand the basic precautions they must take to minimize the risk of blood contact with patients. The same common sense must apply to computer viruses. They threaten patients, the hospital's reputation and job security. Avoiding the risk is not hard.

Technology only goes so far and can always be circumvented by users. A user must see a computer virus as seriously as they view HIV and must understand that e-mail is the biggest carrier of computer viruses, which can do as much harm to a patient as the most lethal biological virus.

For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Employee security education
Best Web Links: Security Policy & Infrastructure

This was last published in August 2001

Dig Deeper on Email and Messaging Threats-Information Security Threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.