Computer Competency Test For Non-IT Hires? 369
wto605 writes "As computers are used for more and more vital business functions, small businesses must have office employees who understand the dangers of, and how to recognize and avoid, malware, spam, and phishing. After having been stung by monthly virus cleanups (at $75 an hour) due to an otherwise competent office manager, my parents have realized they need to be aware of their employees' computer skills beyond the ability to type a letter in Microsoft Word (currently the closest thing they have to a test of computer competence). The problem is, as a small business, they have no IT expert who would be able to judge a potential employee's competency. I'm wondering if anyone knows of a good way to test these security/safety awareness skills, such as an online test, a set of questions, etc. I have already pointed them to Sonicwall's Spam and Phishing test, but it definitely does not cover all of the issues facing computer users."
Simpler solution... (Score:2, Interesting)
Good way to encourage them to learn quickly (Score:4, Interesting)
A lot of people can recognize such things already. They just don't want to take the time to bother with it. So dock the cleanup costs out of their pay, suddenly they'll be a LOT more careful about what they trust.
When I was younger, the mother of one of my friends was bad enough about it that her computer needed wiping on a weekly basis. My friend wasn't much of a computer person, but he at least knew what not to do. Unfortunately he was stuck using the same machine and so still had to deal with it. For a while I was fixing it for them for free since he was a friend, but when I started charging $20/hour for cleanup his mother changed her ways amazingly quickly.
I don't know (Score:5, Interesting)
But the place I work at gave me a computer with Ubuntu installed to use. I requested this after the McAfee incident [cnet.com] last week. Apparently I'm the only one...
Re:Anybody can have a bad day (Score:5, Interesting)
Right, but computers can be dangerous tools. You are expected to prove some basic competency before you are licensed to drive. Same thing with operating heavy machinery.
If you don't know what you're doing, you can cause a lot of harm. If you send out a message to a ton of clients and use CC instead of BCC.... you are in deep trouble. You're right that anyone could accidentally do that, but you should make sure they know that in the first place.
I don't see any problem with some basic competency stuff. A little anti-phishing, some basic tasks in an email client, etc. If a job requires knowledge of how to use a computer, the applicants should know how to use a computer.
If they don't? You could not hire them, or you could train them.
Seems pretty reasonable to me. If you hire them and it turns out they don't know what they are doing, you can lose money directly (like the above), or indirectly (as they spend a day or two to do a simple task before you find out they didn't know what they were doing).
I know that there are some things that I would like on the test. It drives me nuts how many people don't know how to send screenshots around. When you get a piece of text on a web page you want me to know about, just send me the text. I don't want a screenshot of the text. I really don't want a word document with a screenshot of the text. I don't want it internally, and I don't want clients/partners seeing that. I'd rather spend the 5 minutes to teach them how to do it correctly.
Replace their PC's with Mac Mini's (Score:5, Interesting)
Get parallels or VMware if they really need Windows from something, have them run it in a virtual machine. Yes there may be an upfront cost to switch from MS Office for Mac from the windows version, but if the VM gets infected, nuke the VM and install a fresh one.
Something we learned real quick was that higher up front costs with macs were quickly recovered since we weren't dealing with these type of problems on a regular basis.
Hell, I have programmers that are good programmers but frankly don't know the first thing about systems administration.
Re:Simpler solution... (Score:3, Interesting)
Re:Replace their PC's with Mac Mini's (Score:5, Interesting)
(while I like the Get A Mac suggestion, perhaps something more windows-zealot-friendly...)
or get something like Deep Freeze [faronics.com] and have it simply restore the HD to factory every 2am. And use network home folders and shares for documents.
Then you have ONE place to run the malware/av software on, the server's shares, at 2am while all the machines on the floor are reimaging themselves for tomorrow.
(there's no point in suggesting something that they're unlikely to try even if you can make a good case for it or in fact are offering a very competitive suggetsion)
Make them maintain their own damn computer (Score:5, Interesting)
I've started seeing companies go the route of getting rid of workstation computers. You, dear employee, get to bring in your own computer and connect up to our virtual workspace environment. No data ever ends up on your computer, and only a couple of key ports are open to our virtual space. The virtual space can't get to the Internet, you don't have admin access, etc. You can do whatever you want on your own computer, but when you get a virus, crash the OS, bust a hard drive, it's your problem to contact your computer vendor and get it fixed. You get a day to get that resolved, or we start making you take your vacation days or get docked pay until you're back up and running.
May sound like crap, but there are potentially some real benefits to getting workstations off of IT's plate.
Re:Simpler solution... (Score:5, Interesting)
It's not about controlling the employees, which I agree is counterproductive. It's about protecting the corporate information. 90% of my Internet usage at work is personal and has no business being done on computers that might contain patient information. That doesn't mean I spend all day surfing rather than working; it just means I need to separate the two.
Re:Good way to encourage them to learn quickly (Score:3, Interesting)
May sound reasonable to a tech guy, but a lot of this isnt stuff that can easily be taught. Seems to me a lot of this is trying to ignore the fact that the existing DNS and SMTP systems are a mess and just blaming the user for being a retard.
Maybe its just me, but when people hire me as an IT consultant, I generally assume its because they want ME to take care of the technical details, not blame them for not being able to pass a Net+ exam. Perhaps that paycheck youre earning is so that YOU can handle the complexities of spam and viruses? Just a thought.
Re:Anybody can have a bad day (Score:2, Interesting)
If you send out a message to a ton of clients and use CC instead of BCC.... you are in deep trouble.
Not even nearly as harmful as a crane falling on your head, or some old fart running you down because he hit the gas instead of the brakes. It's not that users aren't ready for computers, it's that computers aren't ready for the users. Cars weren't either until at least the 30s or 40s
Re:Simpler solution... (Score:1, Interesting)
It truly has become bizzaro world. You need constant access to distractions to not be distracted. And I believe you.
Phish them OFFLINE! (Score:3, Interesting)
To test if they're too noobie for the job, design a form on paper that phishes their info. Personal info, more private that your regular form at Burger King. If they fall for it, kindly show them the door. Hire the ones that alert you of the problem.
Good Business Sense? (Score:1, Interesting)
Lets say I'm in the sales business. Hiring this 1 guy will make me $1,000,000 profit per year. Except he's a total moron with computers. Lets say he needs a full time IT person to make sure he does everything right. That person's wages might be $100,000 per year. That's still $900,000 profit per year.
How about the incompetent barely managing to justify their own job people? Maybe these people need to be squeezed as the article suggests some remedial courses to be brought up to standards to reduce costs to the corp.
But I disagree with both. I think we in IT should be implementing systems that eliminate the risks associated with phishing and malware. Principle of least privilege already accounts for the people being knowledge for things software cant fix.
Applicable to higher-level jobs as well (Score:3, Interesting)
Myself, I'm mostly a self-taught computer geek. Many of you are also or are at least aware of acquaintances or friends who get by being self-taught, I've always been a firm believer in competency tests vs. degrees.
Work experience is another consideration, as I would test the competency of either a grad or a long-running self-taught previous employee somewhere else. The applicant's general knowledge may be good and well documented, but how are they able to specialize when the need arises?
I was able to ge promoted upwards to the career I have now based on the merits of my passion to learn -on the job or not- as well as well as my ability to apply new ideas quickly. Not everyone is as lucky whether they have the skills or not. which is why I believe a lot of budding IT professionals and/or programmers would get in the door a lot easier with a competency test. On the flipside, maybe less losers would get in the door too.You never know, it could happen. :)
Re:Anybody can have a bad day (Score:5, Interesting)
When working for big corporations, I often have to pass a "computer security and privacy awareness test". It is usually implemented through a web interface with simple radio button forms (multiple choices) and I have to pass it before I can get any access to their systems.
Trust me, you really do not have to be a techie to pass it but you must know basic principles about internet security and privacy issues, confidentiality and security levels etc.
The solution seems simple enough; just get a template for one of these tests that pretty much look alike in any big corporation. Such standard tests but be available through the internet.
Have the candidates pass the test. Also, state strict sanctions for mistakes with regards to not following those basic guidelines and make them clear right from the start, preferably as part of the test. Candidates get the idea that you do not fool around with these topics.
Re:Anybody can have a bad day (Score:2, Interesting)
Your post:
Just because someone is competent with a computer doesn't mean they can't be the vector for an infection.
From the summary:
they have no IT expert who would be able to judge a potential employee's competency. I'm wondering if anyone knows of a good way to test these security/safety awareness skills
That does NOT deserve a +5 Insightful rating, mods. I don't actually see how that post could have been any less Insightful.
I would recommend they try this:
On the application, or perhaps on a short written "test" during an interview, ask them some questions like "do you use a gmail, yahoo, aol, etc. email account? If so, please provide user ID and login information here:____" Do the same for social networking sites like facebook, news aggregate sites like Slashdot, etc.
Any applicant who gives you ANY login or password information, toss their application in the shredder and ask them to leave.
Any applicant who turns in the paper with blank or smartass comments, call back for a 2nd interview.
Any applicant who actually tells you, on the spot, that it's none of your business & you can fuck right off, you should offer them the job on the spot.
Re:Anybody can have a bad day (Score:2, Interesting)
Sorry, it reduces your exposure, ever so slightly, but isn't enough. (I've done security for large and small companies, intrusion detection, malware, worms, etc. Research, decompiling the little buggers, etc.) I worked for one security company (a major one) in which *they* managed to catch a worm that reamed a chunk of engineering (by the nature of their development, the engineers could not run all the anti-bad stuff software on their many of their dev systems.) The worm got in when a marketing guy connected through a VPN to update his security software. Turns out IT didn't have the DMZ for that as tight as they thought. At another site, with more security software than most companies have, a worm managed to ream out the CEOs machine. He turned it on earlier than the AV company released its sigs. It got on to his machine from the chairman of the board (who's machines we didn't control). However, properly preparing the whole network in advance kept the worm on his machine and allowed IT to flash the system all the way down to the firmwares and BIOS, bringing him back up in 20 minutes to where he was immediately before the worm hit him. We later took the worm apart and see how it worked. It was interesting; clever but not brilliantly so.
There is simply no substitute for a well setup environment. It's a matter of preparing to mitigatie the damage that *will* happen.
All the IDS, Firewalls, user training, AV and anything else will not prevent you from catching something bad. Just setup everything to deal with it.
I'm really surprised no one has offered insurance for this stuff. Just like in real life, you *will* catch something and it *will* make your systems "sick". And you *will* have to pay someone to fix them.
Maybe the insurance could cost less if you engage in preventative healthcare from a reputable professional. Of course, they'd have to carry malpractice insurance, like doctors. The company would off-load some of their risk to the insurance company who would off-load some of their risk to trained professionals.
Anyway, a company should never be using a tool that can easily, through normal usage, cause that much damage. Those are poorly implemented tools.