Computer Competency Test For Non-IT Hires? 369
wto605 writes "As computers are used for more and more vital business functions, small businesses must have office employees who understand the dangers of, and how to recognize and avoid, malware, spam, and phishing. After having been stung by monthly virus cleanups (at $75 an hour) due to an otherwise competent office manager, my parents have realized they need to be aware of their employees' computer skills beyond the ability to type a letter in Microsoft Word (currently the closest thing they have to a test of computer competence). The problem is, as a small business, they have no IT expert who would be able to judge a potential employee's competency. I'm wondering if anyone knows of a good way to test these security/safety awareness skills, such as an online test, a set of questions, etc. I have already pointed them to Sonicwall's Spam and Phishing test, but it definitely does not cover all of the issues facing computer users."
Re:Good way to encourage them to learn quickly (Score:5, Informative)
It's illegal to dock employees' pay for damage to the employer's property.
For accidental damage, employees have no liability at all: It's considered the employer's responsibility to manage its workplace in a way that minimizes accidental damage, and any that does occur is considered a cost of doing business. Viruses routinely appearing on company machines, especially if it happens to many employees' machines, is probably in that category.
For damage done intentionally or through serious negligence, the employee may be responsible, but the employer still cannot dock their pay; they must sue the employee to recover the damages, and must prove by a preponderance of the evidence that the damage was inflicted intentionally or negligently.
Skills assessments (Score:1, Informative)
Previsor has extensive pre-employment online skills and knowledge tests. One from their catalog that comes to mind is the Information Security Awareness test, described as:
This is an adaptive test that measures the candidate's knowledge of information security. Designed for general computer users, this test includes the following topics: Computer Best Practices, Computer Ethics & Misuse, ID & Data Information Theft, Internet Best Practices, Passwords, Physical Security, Sensitive Information, and Viruses & Other Harmful Software.
http://www.previsor.com/products/assessments/catalog
Re:Anybody can have a bad day (Score:3, Informative)
Basic training and locking down the PCs is the way to go.
Don't let the users run as administrators, and most of the infection problems will go away. From there, teach them how to deal with spam email and how to recognize fake antivirus and other phishing scams.
Once the users are kept from shooting themselves in the foot (restricted rights), and are taught why they shouldn't point the gun at their foot in the first place, things should improve dramatically.
Re:Simpler solution... (Score:3, Informative)
I work in a large hospital. If you log in as a generic user - typical for most stations, because anybody can wake it up from the screensaver - you get no Internet access. If you log in as yourself, making tracking (and disciplinary action) possible, you can go to any non-porn/warez/etc site. It's no serious imposition on people who work in one place, and it keeps the infections down.
Re:that quiz is rubbish (Score:3, Informative)
Got 10 out of 10, but doubt few people could, especially with the limited information shown.
Some of those they consider "legitimate" are very borderline in my view, especially that UPS one.
Also, the testing site makes a big deal about misspellings and formatting in some of the "phishing" emails. And yet the The Bank of Choice one, that's supposedly "legitimate", has an obvious spelling error in it too!
Ron
Re:Simpler solution... (Score:5, Informative)
While it's great that modern systems can keep us up to date on the latest and greatest events around us, it's nothing more than a distraction most of the time, and it is almost NEVER serious business.
Re:Anybody can have a bad day (Score:3, Informative)
I think you can probably make a case for users needing to be competent to avoid phishing attacks...because the impact can be so damaging and there is no real way to prevent them...but in all other aspects maintaining a good security posture really is more the responsibility of the IT staff. In the end, something is going to test your defenses. Most of the viruses we see at my very large enterprise spread via the network. You get one user who makes a wrong click and BAM every single one of your small office's unpatched computers are infected. You're never going to get staff that is incapable of making those types of mistakes...even IT staff make them from time to time.
I don't disagree that users should be encouraged to be more computer literate and security aware...regardless of your budget and your staffing there are aspects of security which will come down to user decisions and there is nothing you can do about it. I have been an advocate for training and modifying the culture of my organization to try and instill at least SOME basic level of security awareness. Nurses who don't want to have a password on their computer because its too hard to remember...well...too bad. Start remembering a password or start touching up your resume is what I say. It's just part of the commitment a business needs to make when embracing IT as a part of it's business. However with things like viruses, spam, malware...it's always going to get through no matter what you do. The question is whether your infrastructure is ready for it.
Re:Replace their PC's with Mac Mini's (Score:3, Informative)
It is possible that I misunderstood what you meant by "re-image." I work for IT on campus, and we deploy it on our lab images. So, I can tell you that it doesn't reboot our computer labs at 2am, pull a 5 GB image off of fast ethernet, and restart.
It also doesn't keep a copy of the image in a hidden partition - we have images that take up more than half the size of the victim machine's hard drive; the technology that would make that possible would be more interesting than Deep Freeze itself.
A frozen computer works exactly as a normal computer does - you can save documents, delete Windows files, even format the disk. Except that your changes are magically gone upon rebooting, like the computer has "amnesia." Wikipedia [wikipedia.org] says it works by redirecting writes to disk sectors, which makes sense. It might redirect writes to a "hidden" partition, because modifying a frozen partition offline causes weird behavior.
ECDL (Score:3, Informative)
Re:Anybody can have a bad day (Score:3, Informative)
Don't let the users run as administrators, and most of the infection problems will go away
I wish. This used to be the case, but most of the FakeAV stuff can run and infect fine in a user context. Sure, you can blow the user account away and you're clean, but still, doing that several times a week because yet another infected ad on CNN or whatever hosed their profile, even through Firefox, even with ad-blocking at the squid proxy, is a PITA.
Sure, non-admin means less re-images, but it isn't stopping many of the dangerous attack vectors (zeus etc).
Re:Anybody can have a bad day (Score:2, Informative)
Although I'll get slammed for posting on lindot
MOST small businesses use software that runs on windows...
Quickbooks
POS software
most off the shelf inventory systems...
finding someone to convert,maintain,train them in use of Linux alternatives is not cost effective...