5 Tips For Virus Protection Training Success

By Ken Dwight, The Virus Doctor

Many organizations are recognizing the need to train their users in the ways of protection against malware, hackers, and other penetration attempts. Such training is available from a number of sources — some free, others at a cost. The most popular source of free training of this kind in the U. S. is government agencies, including US-CERT, IRS, USPS, and HHS, among others.

Paid training in protection against malware and hackers is included in the course catalogs of many training organizations. It is also offered by some vendors of networking hardware and/or internet security software. While there is a fee to attend these classes, that fee is usually nominal. And if training along these lines prevents infection or penetration of those users’ computers, that nominal cost should not be an issue.

All training is not created equal, though. Here are some variables to consider when you are evaluating training options for your users.

1. What is the scope of the training? All courses in this category talk about phishing as an infection vector and give numerous examples of warning signs or “red flags” in email messages. This is the most likely source of attack, but it’s only a starting point. Users need to understand the differences between generic phishing emails, spear phishing, and whaling. But comprehensive training should also include discussion and examples of vishing, smishing, and CEO Fraud, aka Business E-mail Compromise, or BEC. It’s also important to address the various web-based threats, through compromised websites, infected links, and new tabs opening in the browser.

2. Does the training cover devices other than desktop and laptop computers? Users need to understand that smartphones, tablets, e-book readers, and other devices all represent significant opportunities for criminals to penetrate their defenses and make their way into their corporate network.

Going a step beyond fully-functioning computers, most users today have additional devices that can be hijacked and used maliciously. The generic term used to describe these devices is the internet of Things, or IoT. IoT devices include everything from “smart” light bulbs to video cameras, baby monitors, “smart” doorbells, refrigerators, thermostats, and an ever-increasing range of devices that connect to the internet. Many of these devices have been compromised in sophisticated attacks against individuals and corporations.

3. Does the training address risks when the user is away from their office? Training that focuses only on the work environment misses many of the threats to which the user may be exposed. In a business setting, it can be assumed that certain protections will be in place to prevent most of the common threats. These protections will certainly include some hardware components such as routers and firewalls, at a minimum. In larger, more security-conscious organizations, the hardware protection could be far more extensive. Additionally, there are multiple layers of software and procedural defenses that will normally be in place.

But when the user is away from the office, many of those protections are no longer present. As a result, threats the user would never see at work may sail right through when the user is working at home or remotely.

4. Does the training point out the vulnerability of public Wi-Fi connections? Whether in a truly public setting, such as a restaurant, coffee shop, or airport, or what may be considered a more private Wi-Fi environment such as a hotel or conference center, all of those are high-risk settings that should only be used very cautiously. It is possible to make them more secure, through the use of additional software and VPNs, but the first step is to ensure that the user is aware of the risk inherent in these environments.

5. Does the training distinguish between threats that are likely to be directed at a business email address such as employee@companyname.com vs. a personal address such as name@yahoo.com? Many phishing campaigns deliberately avoid business addresses and focus on clearly personal addresses. Typical campaigns that target individuals would include “Mugged in Wales,” IRS scams, sextortion, and phony kidnapping ploys. The criminals who create these campaigns realize most businesses would be protected against them, whereas individuals are less likely to have any automated method of blocking those messages.

Regardless of the content of any specific course on this subject, it is critically important to follow up the initial training with updated information on new threats, infection vectors, and detection methods. All of these factors change frequently, so users who have completed a training curriculum must remain vigilant.

About The Author

Ken Dwight has been a computer professional since 1966 (15 years before IBM introduced their Personal Computer). Since 2002 he has specialized in malware, as The Virus Doctor™. He is the creator of the Virus Remediation Training Workshop, training IT Support Techs in effective malware removal. Contact him at www.thevirusdoc.com.