On 2010-08-31 19:58, Nathan Eisenberg wrote:
The only thing you can do to help your users is to provide them with proper education and to explain them to keep up to date and run the right tools and not click anywhere they can.... and that is a mission which is near impossible.
I thought user education in threat management was long ago abandoned as a realistic defense mechanism. Don't get me wrong, I loved my users when I was supporting a desktop fleet; but the key to their survival was always policy implementation through Active Directory; back in the day, blocking executable files in email prevented a lot more problems than training users not to open them did.
When you control the hosts in your network then indeed that works quite well and is most very likely the best approach, though it fails miserably again when users don't want to be part of your control. If you are an ISP then you don't control the hosts of your users and then the only thing left is to educate... which is near impossible as you state.
Don't get me wrong, every little bit helps. But when you consider your security with a scrutinous eye, you should always ignore the question 'how educated are my users'. It's irrelevant.
As long as you check the PDF viewer version of the ladies at the HR department ;) Greets, Jeroen