Security requires both technical defenses and user awareness
Computer security has become more important than ever at both home or work. Security products, promptly applying security patches, and the user's actions are all vital. Years ago, many malware writers acted more as pranksters writing software to delete files or make the PC inoperable. The goal today is to trick users with highly realistic email or websites and then to hide on the PC in order to gain highly sensitive or confidential information over time.
Many attacks user social and technical engineering approaches that can deceive even highly experienced users. For example, malware authors use embed actual HTML from the real websites or simulate Windows dialog boxes (as noted in the article below). Security is so vital today, that it cannot be ignored.
For example, companies MUST have an active awareness program. It's true that some users will march to the beat of a different drum and ignore advice. Still, security awareness cannot be totally ignored. A good program would include:
1. User responsibilities, as most companies have "business use" and "information protection" policies. Users need to know what they can and cannot do at work.
2. Some general training on avoiding malware attacks is helpful in case innovative malware slips past the technical defenses. For example, the Help Desk should be contacted if there are questionable items.
3. Users must know their vital role in safeguarding customer and corporate information. Their laptops, passwords, and other resources could be compromised if safe practices are not followed.
4. Occasional brief all-employee bulletins and an Intranet website can help communicate and promote user responsibilities in the process
Security evangelism is achieved one step at a time and companies won't see immediate results. However, these small differences will add up over time. A train the trainer model may emerge, as technically savy users gain knowledgeable and act as leads in their departments or offices.
The tone and communications make all the difference in the world. While security sometimes requires a "thou shalt not" approach, it shouldn't be the primary theme. A more positive tone of "how to be safe at work and home" may help users become more receptive to learning the principles of protection.
Home and corporate users cannot be expected to become security experts. Conversely if someone totally ignores the many dangerous security exposures, they will most likely experience technical issues with their PC or they could even become a victum of fraud. Instead, users should be taught the basic principles of risk avoidance and where to go to for help.