“We’ve done a pretty good job about teaching people not to open executable attachments in their email”, claims Sophos’ Chet Wisniewski in a recent YouTube video educating users about the dangers of PDF files.
I nearly fell out my chair. I took that as a general statement about Information Security and users. While it may be true to say that Sophos has done a good job teaching people not to open attachments, I think Chet was speaking more generally. Isn’t it more true to say that Microsoft changed Outlook’s default security to prevent users from opening executable attachments in email, and that is what has greatly slowed email viruses.
This goes back to my last post about security awareness training versus security controls. Which is better:
Spend countless hours on corporate newsletter articles (that aren’t read), preparing lunchtime brownbags (that are attended by the security curious and not those needing awareness) and require every employee to bill an hour to overhead while taking security awareness training annually
Disable access to executables in email.
Option 2 was implemented because it was a Microsoft default. Security by default is something everyone can agree with and it hardly cost any productivity. Just some emails resends with the file renamed or zipped.
 Please no “switch to foxit” comments.