Educating computer users within a large computer network
Posted: Mon May 15, 2017 1:33 am
The NHS, and the opening of a Microsoft document file with macros enabled which resulted in the local network privilege spread of ransomware.
No, NHS, you cannot blame your front-line medical and secretarial staff.
If you're NHS IT and you're responsible for a network, then simply ordering your staff to behave in a hygienic way is not adequate protection. If you now have a ransomware infection then it's a management fault for not testing the environment your technicians have put in place.
Absolutely every occasion like this is the direct responsibility of the Head of IT. The Head of IT should be fired and her reference should say why she was fired. Nothing else is ever going to force IT representation on the Board to grow a backbone instead of supinely putting up with whatever she's allocated by way of resources.
If your IT system can't fend off an external social-engineered or phishing attack which is accepted and opened by a non-IT member of staff then it's not the fool at the bottom of the food chain who is to blame, it's IT management. Mere "user education" is not a defence, it will not ever work, it is a failed excuse for not fighting your corner against your budget director when it was your turn to speak.
Shall I tell you how to check you've done your job? Isolate random bits of your live network on a weekly basis, make sure it's properly archived, and then open a Pandora's Box of every malware known to man on random user PCs and make sure none of it can penetrate your real-time defences. Throw a thousand emails at your users saying Lottery Win, Here's Your Monthly Statement, Print Job Enclosed, and tell them to open the lot. If you have no ill effects then well done, you have a protected network. And if you do that every week on small parts of the network without giving them any special treatment beforehand other than isolation, then you'll keep your technicians honest. And if your technicians don't know how to protect their network to that extent, run some adequate in-house courses.
No, NHS, you cannot blame your front-line medical and secretarial staff.
If you're NHS IT and you're responsible for a network, then simply ordering your staff to behave in a hygienic way is not adequate protection. If you now have a ransomware infection then it's a management fault for not testing the environment your technicians have put in place.
Absolutely every occasion like this is the direct responsibility of the Head of IT. The Head of IT should be fired and her reference should say why she was fired. Nothing else is ever going to force IT representation on the Board to grow a backbone instead of supinely putting up with whatever she's allocated by way of resources.
If your IT system can't fend off an external social-engineered or phishing attack which is accepted and opened by a non-IT member of staff then it's not the fool at the bottom of the food chain who is to blame, it's IT management. Mere "user education" is not a defence, it will not ever work, it is a failed excuse for not fighting your corner against your budget director when it was your turn to speak.
Shall I tell you how to check you've done your job? Isolate random bits of your live network on a weekly basis, make sure it's properly archived, and then open a Pandora's Box of every malware known to man on random user PCs and make sure none of it can penetrate your real-time defences. Throw a thousand emails at your users saying Lottery Win, Here's Your Monthly Statement, Print Job Enclosed, and tell them to open the lot. If you have no ill effects then well done, you have a protected network. And if you do that every week on small parts of the network without giving them any special treatment beforehand other than isolation, then you'll keep your technicians honest. And if your technicians don't know how to protect their network to that extent, run some adequate in-house courses.