Like most people I have an opinion. I hold pretty strong opinions about certain topics, one of which is user security education. In "real life", we tell our children and our families:
"Dont trust everything you see and read".
"Don't accept candy from strangers"
"Dont stray down dark alleys"....
You get the idea....
Hmm. Why dont we ever say to children and family...
"Dont trust everything you download"
"Dont install programs that arent signed by a company you trust"
"Dont click links to go to sites you dont trust or cant verify"
Despite the stranger danger for children on the Internet having an increased awareness along with safer Internet banking practises, (in part being reinforced with two factor technology to protect the ignorant), a large portion of people still have the attitude of it wont happen to me when it comes to malware. The scary thing on the Internet, is that its very likely to happen to them. Its just a matter of time...and I think this problem is borne out of ignorance.
In May I wrote about this topic. In it I stated "...The number of virus infections found by a virus vendor does not necessarily equal poor security. In many cases (though not all) it equals poor user behaviour..."
Some people, including members of the media, felt I was apportioning blame and sensationalized this comment. I wasn't appointing blame. I was saying that theres only so far that technology can go in protecting the user from their own choices. I stated then that if I choose to override every prompt warning me of unsafe behavior and proceed with my intentional action then I will get what I get. I still stand by that statement. Users must become better educated about risks and choices...and make sure that they have an up to date virus scanning application to protect them when they inadvertantly make a mistake. (note: even if you have a Mac, yes you still even need AV protection on that. And accoriding to ZDNet, apparently Apple even recommends it despite their clever little ad's)
It turns out that Trend Micro's researchers have found the same issue, that poor user practises and behaviour is at fault . The two telling quotes for me were these ones.
"...While 63% of the infections from the top 100 pieces of malware in the region were caused by downloading something from the Web -- and 3% came from opening e-mailed attachments -- just 1.7% were related to security vulnerabilities. "That's something we can't engineer against," said Ferguson..."
and even better...
"...We still have quite a way to go to get users to educate themselves about risks," said Ferguson. "They still manage to get duped into situations that put them at risk..."
So whats the answer? More technology to get in the way? I really do believe education is a key area that must be focused on.
I firmly believe we all have a role to play. As IT Professionals in the industry we must educate our families and friends on safe practises as they arent learning it at school or anywhere else. Theres plenty of resources to point them to as well.
Here's the Microsoft site relating to this topic, but theres plenty of government sites on the topic with varying degrees of usefulness and community sites. Take the time to educate your family and friends.