Changing User Behavior is Key to the Malware Protection Process

By Chris Morales ·

My colleague, Ryan Smith, recently wrote about Defense in Depth and talked about the fact that, regardless of how many tools and techniques an organization implements to prevent infection through malware, they won’t be able to stop every infection. I agree, and would take that a step further to say that it’s practical to assume a certain percentage of systems will be infected at some point during the course of a year. Therefore, it’s extremely important to create a methodology so that you can find infections within a reasonable timeframe and mitigate the loss of information associated with a breach.

Here are two long-term strategies that you can implement and develop over the course of time.

  1. Information policy - Compensation tied to security metrics is a strong initial method to create change in company culture. Metrics should be simple and address basic security requirements that can be easily measured, such as total number of system vulnerabilities. If incentive compensation isn’t your organization’s bag, at a minimum you should create and notify employees of a policy to conduct regular, unannounced social engineering tests. The results of the tests should be immediately returned to employees along with information about further security training, as required.Information policy won’t ensure the safety of your organization, but it will help reduce the footprint of exposure through a very common method of infection: users accepting malicious email or clicking through to malicious sites unintentionally while surfing the Internet.
  2. Define the access of confidential data - Data policies need to define what constitutes critical data, who has access to the data, and where and how the specific data should be stored. The goal is to know who and what the real threats are in order to identify the risk. By removing the ability of most users to access confidential data, you can focus your efforts on more stringent requirements for those users and systems that do have confidential data, helping you to avoid a costly breach.
Information policy and defining (and limiting) the access of confidential data will enable you to change user behavior so that you can minimize the threat, and respond more quickly as infections occur. There are also some tools and techniques that you can use in the short-term to quickly to address the current infection of systems. I’ll talk about those in my next blog posting.