Ask Slashdot: How To Communicate Security Alerts? 84
Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"
You don't (Score:2, Interesting)
To be blunt, you don't need to tell every employee about every security problem, precisely for the reasons you stated: they'll panic.
The best thing you can to is to try to mitigate the problem until a fix is available, and then deploy a fix. Mitigation can mean anything from blocking access to the offending program, malicious website, etc., but nothing beats good old fashioned user education. Instructing your users on safe computing habits goes a long way toward keeping your network secure, and as long as you're not a dick about it, most people will actually listen. There are always those that won't listen or cooperate because 'computery things are your job, not mine', but I've found that those people are few and far between.
Re:Don't tell them. (Score:5, Interesting)
They ask. They hear something from their friends and colleagues, and retain a garbled version ranging from "OMG, everything Microsoft needs to be erased!" to "Go to this website and it will fix your IE". If you are lucky, they call you before they try to do something astoundingly stupid.
I'm the IT director for a aftermarket auto-manufacturer, and we keep our Internet facing network and our production/POS/ERP networks physically separate. Each of our Internet facing PCs has IE, and a crippled version of Chrome (same idea as Iron) installed.
A few nights ago, I ran a script that stored everyone's IE bookmarks in a backup, and overwrote them with a list of less than a twenty bookmarks, including the company's website, the banking sites for scanning checks, the website that stores our scanned invoices... you get the idea.
I sent an email instructing them to use IE only for the sites for which there is a bookmark, and use the crippled Chrome for everything else. Last night I restored the bookmarks, and while I was at it, checked a few histories here and there. People seem to have complied with the instructions. I saw only one clear violation, and it was work related, to a website that I may have added to the bookmarks, if I had thought of it.
Today, according to my assistant, there have been three calls from people who did not get their bookmarks back, and a few from people who did not know about bookmarks before, and now want the 'official list' back.
All in all, I'm glad how it went.