A recently released study by Verisign states that 88% of American Web users are unable to spot a phishing Web site. This was done by showing sample users side-by-side comparisons of legitimate and companion phishing sites and asking the user to point out the malicious site. The study is a sterling example that the CLF problem (carbon based life form) is still the single biggest impediment to cyber security.
I have a bit of a cynical streak and therefore normally do not fall on the side of education to stop things like cyber crime. But it is clear that Web users need some pragmatic education because it really makes the job of IT security difficult when users willingly walk into malicious activity. I use the term “Stopping Stupid” in a previous post, but if only one out of every eight people can spot a phishing site, then it is clear that endpoint security education is clearly needed before we can place blame solely on the users.
When my own kids began to surf the net, I was careful to educate them on what they would encounter. For example, I made sure they knew that there was not some benevolent force on the World Wide Web that existed to give them a free iPod just for visiting their site. We talked about that if something seemed to good to be true, it probably was and that if they ended up on a page they did not expect to see, they should immediately stop. Simple stuff when they were younger progressing to many of the basics defined in the Verisign study now that they are in their teens.
But it is unreasonable to expect that all people grow up in a house with a cynic working in the IT security market. Few Web users know what the padlock symbol means or why the colors change in the security status bar. Many still believe there is a Cyber Santa that really does want them to have a new notebook PC. We hand people a computer when they show up for work and in most cases, no one shows them the basics of physical security or what to look for when doing simple tasks on the Web. Then when we see stories such as the latest Nine-Ball mass infection, we wonder how such a thing could happen, but we are at least partially culpable for sending the lambs to the slaughter.
So as much as it goes against my cynical nature, we in the IT security market must take the steps to educate the army of CLFs that access the Web jungle daily. It is no fun to tell them there is no Santa Claus, and we will never get 100% on the Verisign test, but we do need to do a better job of at least teaching the basics such as the simple signs of a phishing attack. We should offer basic education when we hand over their new computer, and there should be constant reminders of the fundamentals. The bad guys are getting smarter, so we must make our users smarter. After all, at 88% only one of Santa’s eight reindeer would spot a phishing attack.
Posted in Endpoint Security
