I got a call from a reporter this week asking me about the Conficker virus. "Are you prepared?" "What do you think is going to happen?" "How widespread is the virus?" "Why is April Fool's Day important?"
I went through all of the mechanics of how we get A/V signature updates and how those updates get pushed to all of the computers in our environment on a regular basis. I also said that there's a history of people planning bad things on days that have some significance and the irony of April Fool's Day was just too rich. I then explained to him that it's our job to deal with this kind of thing everyday, Conficker was just getting more attention than most. I told him that bad guys and bad things are attacking us 24/7/forever from across the globe so it's our job to be ready for a Conficker every day. He kept asking if we were 100% sure that we wouldn't have any virus infections. This is the hard part - when you have to explain to someone that, in our business, you never achieve 100%. There's always a machine somewhere that didn't get patched or didn't get the update for a variety of reasons and it only takes one, like the well-worn weakest link analogy.
As I thought back on it later, the conversation reminded me of something a friend said a while back after a big security incident made national headlines. The company had done all the right things, had all the right policies, and trained all of their people. They did however miss one computer when configuring the OS to disable USB ports. Guess which computer a malicious employee found to steal and download customer PII to a USB hard drive? Yep. My friend said "This is the perfect example of how even 1% non-compliant equals 100% vulnerable." So true.
When the reporter saw that that there wasn't a huge, gruesome story just aching for media attention (not yet anyway), he lost a lot of interest and said he'd call me back if anything came up. This got me thinking, and not for the first time, about how so many in the general public have such little understanding of the cybersecurity problems we all face. I used to think it was a generational issue that would be solved by time but I'm not even sure about that anymore. While we can't ever stop educating, I also don't think there will ever be a general understanding of security problems.
What do you think? How can we help he general population understand the power they have over managing their own computers to prevent things like Conficker? That's a hard one huh? Anyway, keep your patches up and here's to a Conficker-free week and a quiet April Fool's Day.
I'm inclined to agree with you Mark. I try to explain to people both in my organization and without about just what it is that I do and why it's so important and I generally get blank stares in return. It's not until people are affected personally that you start to see some glimer of understanding and appreciation shining through.
Alas, I fear this will always be our great lament and our ongoing quest. Perhaps as more and more people feel the emotional and financial pain of identity theft and being the victims of fraud, the job of educating folks will get a little easier. Too bad it takes that kind of lesson learning for the message to sink in.