educate or scare your workforce
Right at the start of this blog, I think it important to say two things:
1. I am by no means an IT expert (that much will become apparent), and;
2. This is my first attempt at a blog.
Anyway, to the subject: virus warnings on email attachments.
This morning I received an email from a colleague via our company network. The email had an MS Word document attached and when I went to open it I was presented with what, to me, looked like a dire warning. It read:
As stated earlier, I am nowhere near being an IT expert and this warning looked to me like there was a high chance that the attachment had a virus. I think it worth highlighting the following provocative words or phrases from the message (I have put certain words in bold to emphasise my point):
Furthermore, the message gives a warning (‘This file may contain a virus that can be harmful to your computer’) an action (‘You must save this file to disk before it can be opened’) and an advisory (‘It is important to be very certain that this file is safe before you open it’). Unfortunately, none of them explicitly state that they will address the subject of the warning.
At face value, it makes no sense to me that the email may contain a virus and that therefore the correct action to undertake is to save the potentially infected file to my computer, or to a DVD or memory stick or some other form or removable media (in all honesty, to me the phrase ‘save this file to disk’ actually means saving it to an external media device; I don’t intuitively think that it is suggesting that I should save it to my computer’s hard drive). If I do save the file in one of these places, surely I run an even greater risk of infecting my computer and, if I save it to external media, other computers too? So what do I do? Save it to disk and run the risk, or click cancel (which appears to be the preferred option) and never read the attachment?
As this was an email from within the company, generated on our internal network, I worriedly thought that it was something I should bring to the attention of our Chief Technical Officer.
The CTOs response was interesting. He said that as part of the National Cyber Security Centre’s Cyber Essentials programme, it is a requirement to prompt users to really think before opening email attachments and the like. So far, so good (and successful). He also explained that part of Microsoft’s “Save to Disk” feature is that it requires the file to be copied to a new location, which forces it to be checked by local antivirus and other mechanisms, whereas if it resides in email there is no such force; you rely on an on access scan (which are not necessarily always applied) or a regular scan, which might come too late.
My concern is that receiving dire warnings of imminent doom every time I try to open an attachment will quickly become tiresome and there is every chance that I (and most other people) will simply begin to ignore them (once we realise that ‘Saving to Disk’ won’t actually cause the virus to infect our computer). We will establish an automatic response, which in this case will involve not reading what the pop-up says and simply clicking on ‘Save to Disk…’, or the button that is positioned where ‘Save to Disk’ is normally located. There are three issues with this:1. We non-IT types will not establish an understanding of why it’s not safer to merely leave the attachment to reside in email;
My suggestions, therefore:
Here endeth my first blog.