By Frank Ruelas
Facility Compliance Professional, St. Joseph’s Hospital and Medical Center/Dignity Health
When people consider what strategies they are going to use regarding administrative safeguards and malware, training is clearly one of the most considered actions. Computer users receive some type of message alerting them about malware and some basic steps on how to not fall victim to a malware attack. Unfortunately, that’s where action typically starts and ends. Is it any wonder why over time this strategy fails?
What else are people doing?
Other actions people are taking in addition to some type of cursory information that they are sending out to their workforce members is to include notices to incoming emails.
Some of these notices may include a message that alerts the user that the email originated from outside of the organization and reminds the user of his or her training which includes if the email is from an unknown sender or has attachments or links, to take steps to check them out before opening attachments or clicking on links.
Does checking the validity of an email take time? Of course. Is it time well spent? OF COURSE! So the use of such a notice is certainly worth considering. These notices usually come in one of two varieties even though there are other options.
One option is to include some type of banner text that is attached to the top of the text of an incoming message. Often these banners are in a distinct text, capitalized, and separated from the rest of the email body by some type of text based separator such as a row of hyphens, equal signs, asterisks, or some other type of text or symbol.
Another option is to prepend the text on the subject line so that it also attracts the attention of the recipient that the email is from an external source. Often this prepended text is set in all capitalized letters to help the user notice it and take note to take the necessary precautions as introduced in the recently distributed training.
Then there are those who use both options. Given the risks associated with malware and the impact of a successful malware attack…why not?
Other tips?
Indeed, there are other steps that can be done to help keep user awareness and focus on the potential threats associated with malware at an ongoing level of operational effectiveness….but let’s also remember, before people take on too much, I ask them first to consider the following.
First, accurately identify what you already have in place. For some people, this exercise will be short and sweet because they may not even have the most basic step, training, in place. OK, if that’s the case, no problem…put together some training material and get it out to the workforce. Before you distribute your training content, do yourself and your users a favor. Get a small group of randomly selected line level staff and have them review the training. Then ask for feedback so you can get effective ideas on how to make the training more effective from the perspective of line level staff.
If you have training in place, then check with your information technology (IT) department or other department that manages the email system on your computer network and see what options exist to add notices either to the body of the email or to prepend it to the subject line.
But there’s more! However, let us start slowly and methodically and then based on some feedback (hopefully) that people share we can take a few more steps that I think people will also find to be very useful.
[clickToTweet tweet=”No Wonder Training Fails! @Frank__Ruelas” quote=”No Wonder Training Fails!” theme=”style3″]