If you tell enough stories, perhaps the moral will show up.

2006-05-29

Creating Liability, or Doing the Job?

OK: you block phishing websites, and that's a good thing. Your users won't be giving their banking passwords to the mafia, because they can't reach the sites.

So you're a hero. Except: every week, on the blocked accesses report, there's one or two people failing to reach sites that Websense says are phishing. Fair enough -- whatever http://www.barclays.co.uk.crzyhosting.tm is, it's not a legitimate bank. Everything is working, but maybe you are in trouble.

Those users have PCs at home. They get email at home. You know -- you've got the evidence on the report -- that they are prone to click through phishing emails. It's just as easy to be robbed at home. Should you educate them about the risk?

No. It'll take up forty minutes a week that you just don't have.

Yes. Of course you should. The firm has a duty of care to its staff.

No. Staff's management of their own bank accounts is their own business. We permit personal use of the web, but it's not consequently our job to protect them from every possible problem.

Yes. In stopping access from work, when there's no actual risk to the firm, we've acknowledged that we do have a liability. If we know that a staff member is putting themselves in danger, and we let them go ahead without a warning, their loss could be ours.

No. It's too ridiculous. How can my starting to receive a report oblige me to spend my time on my user's private affairs?

Yes. Come to think of it, what about the sites that Websense hasn't categorised yet? Suppose people get the idea that the site is safe if it's not blocked? Oh, and did I mention that one of those names is your boss's boss's boss?

This one calls for a compromise. I'm not going to construct a personalised security awareness program for anyone who reads spam mail -- among other reasons, it just doesn't work. But I will, illogically, change the "you have been blocked" message to remind people that their safety is in their own hands. And the Director? Well, it turns out that he loves a good phishing site as much as the rest of us -- he was a bit disappointed that that we were blocking them now. So much for heroism.

No comments: