Along the theme of a previous blog "Are users really to blame for poor security", the "geniuses" in IT are at it again. They're spending valuable business resources to craft a fake e-mail virus to "test" which users are going to be fooled into double clicking it. I just wonder what they would actually do with such information. Are they planing to call those users stupid or are they planning on going to HR to demand that someone gets fired? Hey, Ihave an idea, how about if we fire the dope that has nothing better to do than to play some childish game of "gotcha?" There is simply no way an end user should ever be expected to know what they should click or not click -- especially if it's coming from the IT department itself.
As someone who works in IT, I can certainly sympathize with the daily problems that IT departments face. But experience tells me that social engineering almost never yields anything better than a 50 percentsuccess rate -- and at a great expense to boot. What does work more than 99 percentof the time is to implement the proper anti-virus defenses at the HTTP, FTP, and SMTP gateway, which I've been saying for over three years. From a cost standpoint, it's much cheaper than putting out the fires daily not to mention the loss in productivity.
What do you think? Do I have a point or am I way off base? Leaveyour comments in our new talkback section.