The success of the email delivered “Here you have” worm that clogged email systems on Thursday, despite the usual misspelling, grammatical, and punctuation errors, seemed to bewilder many in the security community. Frankly, I’m surprised that the community was surprised.
It seems to me, that any security honcho worth his salt (someone who makes a point of getting out in the field occasionally to observe user behavior), would be more than aware, that despite constant warnings NOT to click on embedded links, the majority of users blithely ignore this critical advice.
The following are a few comments I heard at a meeting over the weekend, during which “here you have”, was a topic of much discussion.
“Social scientists need to sit down with a group of these dumb dicks who clicked on the link in this email, and study their behavior.”
“Most users continually show that they are morons. They can’t follow the most basic instruction – DON’T CLICK ON EMBEDDED LINKS!”
“Users who fell for this, and who caused so much disruption in their organization, should be restricted to a pocket calculator on the job.”
The comments might sound slightly edgy, but when perceived stupidity cost money, “edgy” might be at the lower end of the spectrum. And, there are costs –direct monetary costs that a company will be forced to deal with, following penetration of a company system caused by irresponsible employee behavior.
So, what do you think the costs to an organization might be, where employees fail to follow common sense rules when interacting with the Internet, particularly social networking sites?
Panda Security, which released the results of its 1st Annual Social Media Risk Index today, for small and medium sized businesses, may well have one answer.
In this survey of 315 US small and medium businesses (up to 1,000 employees), which focused on the month of July, 2010, Panda found that more than a third of surveyed companies which had been infected through employee interaction with social networking sites, reported losses in excess of $5,000.
I was not at all surprised to see that Panda found that Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent).
I was however, surprised to see this – “we were pleased to see that the majority of companies already have formal governance and education programs in place. These types of policies combined with up to date network security solutions are required to minimize risk and ultimately prevent loss.”
A confused observation in my view, given that the facts show – these “education programs”, are NOT working.
Additional survey facts:
Thirty-three percent of SMBs have been infected by malware propagated via social networks; 23 percent cited employee privacy violations on popular social media sites.
Thirty-five percent of SMBs infected by malware from social networks have suffered financial loss.
Facebook takes top spot for social networking-related malware infections, followed by YouTube and Twitter.
You can find the complete survey here. Or, you can view a slideshow on the study’s results here.
About Panda Security;
Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions with products available in more than 23 languages and millions of users located in 195 countries around the world.
Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology.
For more information, visit Panda US.
Bill Mullins' Weblog - Tech Thoughts 