According to the recently released Symantec's November 2009 State of Spam Report, distribution networks used by spammers abroad are becoming more dynamic as additional broadband-connected targets come online every day. You can be sure that spammers are not sitting still; they have already taken to sending messages directly from infected machines, resulting in distribution paths that are increasingly more complicated - and much harder to block.
Beyond the use of more sophisticated spam filtering services or appliances, are there any "best practices" that SMBs can give to their employees to practice safe computing? With the rapidly changing strategies of spammers in mind, top security vendor Symantec furnished some tips via e-mail that small and medium businesses can use to better protect themselves and their employees.
I've attempted to elaborate on these suggestions from Symantec in the same way as earlier "Some Simple Ways" blogs that I've written. Let me know if it works for you.
Spam messages are usually quite easy to identify. But while most users will not bother with opening them, it is a different matter to train them not to open spam messages and their e-mail attachments. Even for seasoned IT users, this will eliminate the risk of spammers successfully masquerading malicious links or attachments as something harmless.
While the fruitlessness of replying is obvious to IT professionals and executives, the distinction might not be so clear to end users. Impress upon these users that replying to spam merely validates the authenticity of their e-mail addresses. Basically, responding to spam of any kind likely will ensure they get a whole lot more.
The IT department will never ask you for your password or user ID. Human Resources will never ask for personal information by e-mail. If there is a mantra worth drilling into users, this will be it. Be sure to teach, reiterate, remind and then repeat the process again. It is imperative to drill this mercilessly into staffers.
This advice might appear counterintuitive at the first glance. But think about it, the spam problem would have been eradicated long ago if not for the occasional folks who make purchases based on what they saw in spam. Indeed, a fairly IT-savvy editor once confided in me that he had paid for an antivirus product from a manufacturer recently, only to realize belatedly that it was a scam. Due to the ease of online shopping using credit cards, users need to be trained to be extremely skeptical of products and services advertised through unsolicited e-mails.
A relatively easy way to gauge a new staffer's IT savvy is to observe whether they are prone to forwarding those pesky virus hoaxes or warnings of impending computing doom to their colleagues. Not only are precious computing resources wasted when staffers forward these messages en masse, they can also result in higher false positives or missed spam with some spam appliances.