Educate or scare your workforce

educate or scare your workforce

Educate or scare your workforce?

Right at the start of this blog, I think it important to say two things:

1. I am by no means an IT expert (that much will become apparent), and;
2. This is my first attempt at a blog.

Anyway, to the subject: virus warnings on email attachments.

email warning

This morning I received an email from a colleague via our company network. The email had an MS Word document attached and when I went to open it I was presented with what, to me, looked like a dire warning. It read:

As stated earlier, I am nowhere near being an IT expert and this warning looked to me like there was a high chance that the attachment had a virus. I think it worth highlighting the following provocative words or phrases from the message (I have put certain words in bold to emphasise my point):

  • The big X.
  • WARNING!
  • ''…contain a virus…’
  • You **must** save this file to a disk…’
  • 'It is **important** to be **very certain** that this file is safe…’
  • Note also that the preferred button (the one that is highlighted) is ‘Cancel’, which prevents me from opening the attachment or saving it to disk, further reinforcing my suspicions that there was something really untoward here.

Furthermore, the message gives a warning (‘This file may contain a virus that can be harmful to your computer’) an action (‘You must save this file to disk before it can be opened’) and an advisory (‘It is important to be very certain that this file is safe before you open it’). Unfortunately, none of them explicitly state that they will address the subject of the warning.

code

At face value, it makes no sense to me that the email may contain a virus and that therefore the correct action to undertake is to save the potentially infected file to my computer, or to a DVD or memory stick or some other form or removable media (in all honesty, to me the phrase ‘save this file to disk’ actually means saving it to an external media device; I don’t intuitively think that it is suggesting that I should save it to my computer’s hard drive). If I do save the file in one of these places, surely I run an even greater risk of infecting my computer and, if I save it to external media, other computers too? So what do I do? Save it to disk and run the risk, or click cancel (which appears to be the preferred option) and never read the attachment?

As this was an email from within the company, generated on our internal network, I worriedly thought that it was something I should bring to the attention of our Chief Technical Officer.

The CTOs response was interesting. He said that as part of the National Cyber Security Centre’s Cyber Essentials programme, it is a requirement to prompt users to really think before opening email attachments and the like. So far, so good (and successful). He also explained that part of Microsoft’s “Save to Disk” feature is that it requires the file to be copied to a new location, which forces it to be checked by local antivirus and other mechanisms, whereas if it resides in email there is no such force; you rely on an on access scan (which are not necessarily always applied) or a regular scan, which might come too late.

My concern is that receiving dire warnings of imminent doom every time I try to open an attachment will quickly become tiresome and there is every chance that I (and most other people) will simply begin to ignore them (once we realise that ‘Saving to Disk’ won’t actually cause the virus to infect our computer). We will establish an automatic response, which in this case will involve not reading what the pop-up says and simply clicking on ‘Save to Disk…’, or the button that is positioned where ‘Save to Disk’ is normally located. There are three issues with this:

1. We non-IT types will not establish an understanding of why it’s not safer to merely leave the attachment to reside in email;
2. We will never develop an understanding of why we are being required to save the attachment to disk – it will always appear to us to be a pointless faff, and;
3. If we are presented with dire warnings every time we try and do anything, what will happen when such a warning really is necessary? Surely even the IT giants have heard about the story about the boy who cried wolf?wolf

My suggestions, therefore:

  • Develop security pop-ups that are not presented as ‘Security Warnings’, that do not have a big X included as part of the message and that do not suggest something that is in all likelihood untrue.
  • The new pop-up could perhaps be called a ‘Security Procedure’ and would actually explain why it is necessary. In the case of email attachments, it might say, ‘The “Save to Disk” feature forces the attachment to be checked by antivirus and other security mechanisms on your computer. If the attachment continues to it reside in email this may not happen and we would be reliant on an access scan (*which is?*), which may not occur, or a regular scan (*which is?*), which may happen too late. *Leaving the attachment to reside in email prevents it ever being scanned for viruses, increasing the chance of infection later on.’*
  • Ideally, employees would be informed of the new procedure before it goes live and would have already prepared a folder into which all new email attachments could be saved; after all, I won’t know where to save an attachment until I’ve read it, will I? If such preparation had been undertaken, the ‘Security Procedure’ could have said ‘Save to Email Attachments Scanning Folder’ or some such, rather than ‘Save to Disk’.
  • If we non-IT experts are to be empowered to understand our part to play in IT security, then we should at every turn be given the chance to improve our knowledge and understanding. This includes not being bombarded with dire warnings, but instead being told, in simple terms, why certain actions are important and the best of way of conducting them.

Here endeth my first blog.