Ask Slashdot: How To Communicate Security Alerts? 84
Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"
My thoughts. (Score:4, Insightful)
1) IT should have selected a viable alternative. Whether it is Chrome, FireFox, etc... IT should be deciding on one to use. You are right in not wanting to bog down the help desk with these calls. By selecting one you can send a message out to your users stating that to improve security, reliability, and performance of your system, we will begin rolling out a new web browser for everyone to use. Be sure to include time for a quick training session. There are various methods for pushing software out behind the scenes as well to install it without bothering many of the workers.
2) Used something like Group Policy to push out the workaround and disable the DLL in question. This could have easily been done using a login script or GPO. Then you could sit tight waiting on a patch for your existing browser. You may still want to remind everyone to be on the lookout for anything suspicious and report it should something happen.
The sad fact is that nothing is bulletproof. It could just as easily be Chrome or Safari next week. Don't forget Safari had a nasty SSL flaw not too long ago too. You are right in not wanting to scare your users, but that is where I say you need to put effort into education on the basics of security. Let them know you have their back. And above all, be creative.
Email and Proper Security Policy (Score:5, Insightful)
All your issues can be addressed with 2 things - an email to employees that explains everything they need to know about the security update, and a security policy that prevents the installation of unauthorized software.
Then, for the handful of dumbasses that will ignore the email, try to install an unapproved browser, then call your helpdesk, they have the ammo they need to politely inform the user that if they like getting a paycheck, they should read their messages and abide by the computer usage policy*.
* Save veeps and members of the board, since they not only believe that company policy doesn't apply to them, but also have the ability to fire you. But that's, like, maybe 20 people, so not a big deal.
huh? (Score:5, Insightful)
Is this even a question? If the IE bug isn't important to you, and you don't want people switching browsers, then why the hell would you communicate the bug to anyone? You should only be sending out notifications if your users need to take action or you're trying to communicate an outage. If you're email consists of "There's this problem you don't need to do anything about..." then you're wasting their time and they will quickly learn to ignore your notifications.
Users do not care about security issues or bugs. They want you to tell them if they need to do something. Otherwise leave them alone. If you have a few users that are worry warts and want to know about that thing they heard on the radio this morning, start a wiki page and just post it there. They can come and look at it if they have questions. But I'd avoid that. Documenting the reasons for your lack of action on a security issue is not a good idea. You may very well have good reasons, but uneducated poorly informed managers can make your life miserable if the bug ends up costing the company money.