This week, Symantec released their bi-annual Internet Security Threat report that got a lot of media coverage. What wasn't mentioned in the press was one little statistic buried in the report on page 52.
The report states "During the second half of 2006, 23 percent of the 1,318 documented malicious code instances exploited vulnerabilities." As Brian Kreb noted this week in his blog concerning the report, "Buried in the report was this little gem: Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message."
This means that 77% of the time online attacks are instigated by the user clicking on links or document attachments.
Many experts have derided the usefulness of educating users about not clicking on links in email and instant messaging or email document attachments. There feeling is that people are going to do it anyways and that training won't help. I disagree. It's a matter of magnitude.
For example, let's say that an enterprise has almost no training on email or instant messaging or, that the training was once given when an employee joined the company and has now been long forgotten (which is what I suspect is the case with most enterprises). The enterprise is relying almost 100% on technology to defend itself. As all sorts of studies show, anti-virus and intrusion detection systems don' t catch 100% of the attacks. The user is responsible for up to 77% of initiating these attacks. Therefore the enterprise will likely be breached when the malware slips under the radar screen.
Why not reduce the risk of initiating these attacks by reminding workers on a regular basis of the threats? This can be done in only a few minutes of training at the worker's desktops.
The results? If the enterprise can get workers wary about clicking on unexpected email or instant message links or document attachments, then the chances of a successful security breach drop.
Does this stop all malware attacks? No. However, it does aid in reducing the chances of attacks. Given that the current advantage in technology lies with the criminals, it seems to me that enterprises need to train workers better, more often, to reduce their risk and cost of recovering from malware attacks (generally estimated at an annual cost of $100-150 per PC user).