By Ron Coates, 6 February 2004 16:05
NEWS Complacent and 'too-busy' users are responsible for the rapid spread of viruses, according to a study released Friday.
The 'nothing to do with me' mob are the major offenders, making up 90 per cent of the 1,000 UK employees surveyed. This vast majority believe that they have no part to play in preventing the spread of viruses, and that it is the responsibility of the IT department, Microsoft or the government.
Steve Brown, UK MD of network and security outfit Novell - which sponsored the report - said: "Viruses only work if there are people dumb enough to open them and pass them on."
But that's OK - almost two thirds (60 per cent) aren't aware of even the most basic virus-protection methods and one third claims to be too busy to bother - even if they knew how.
As an email recipient, being 100 per cent sure of the identity of an emailer isn't much protection - 58 per cent of your friends and colleagues will forward you spam without a thought, according to the survey.
More than half of those (over a third of the total) will already have verified their company, or their own, email address, by responding to spam.
And phishing is an concept unknown to the vast majority, though this may not matter too much to more than half of them - they can't even remember their password. Many of the rest can't wait to give it to all the world - one third write their passwords down and one in ten put it on a Post-It note on their desk.
Brown said: "We didn't know what to expect when we commissioned the survey. What surprised me was the lackadaisical attitude - most of them said that they would 'not be particularly bothered' by an attack, and only five per cent would feel bad if they helped spread it."
And he was concerned that the old chestnuts of multiple passwords and difficulties in distributing patches and updates were still a major problem. He said that education and training would gradually help to alleviate the problem, given the use of adequate systems.
Comments
There are 38 comments. Join the discussion
1. Jim Winski
I think it's unfair to mock the typical user, the 90% in the survey, by making them out to be ignorant folks. You say that they rely on Microsoft, the government and their IT department to prevent the virus attacks. In reality, if Microsoft and their IT departments were to do their jobs well, the end user would never have to worry about viruses.
Perhaps part of the IT department's job should be education. If a user does not realize that they are part of the problem, or if they don't know how to do their part, then I don't see how you can blame them.
2. anonymous
I agree wholeheartedly. I sometimes think people should get a license to get on the internet just as one needs a license to drive a car. It takes a certain level of intelligence and common sense. I have been forced to ask many friends to remove from from their lists because they persist in sending dumb chain emails with my email address in the "TO" line with 100 other names. To be forwarded indefinitely into perpetuity, harvested by spammers. What can we do?
3. anonymous
Saying that viruses are the responsibility of 'dumb' users is kind of like blaming rape on women who go out at night. "It's the criminal's, stupid!"
Lets keep the focus on the right place, and maybe we can do something about it. Make it harder to infect a system with viruses, and tougher punishments for the virus writers. Lets not go off topic about the people who are actually the victims.
The folks writing these kinds of irresponsible blame pieces need to take a vacation back in the real world.
4. Jim Wood
Interesting results, but what were the questions? Where can I find the Novell report?
I'd be interested in running the same set of questions past our employees.
5. anonymous
Surely the ISP's could take a more active role in reducing the amount of viruses by killing those passing through their servers.
During a previous outbreak some ISP's actually stopped users connecting until they had disinfected their computer when they were found to be inadvertantly transmitting it.
6. Malcolm Ripley
"That old chestnut" has a tone that implies the user is at fault for not remembering multiple passwords. Let's refresh our minds here for sytems I use : at least 8 characters, mix of upper and lower case , must contain at least one non alphanumeric characters. In other words something obscure which by it's very nature as a "safe" password is nigh on impossible to remember unless you use it every day. If you have 5 or six such passwords then forget it.
The problem with email is the software with it's default settings and ability to allow attachments with viruses to be opened so easily. I'm not going to name names but we all know.
Finally a computer is now a necessary tool in most peoples' jobs. It no longer requires a degree in computing to work them, in fact software increasingly dumbs down the required knowledge base. However, the necessary checks and balances have not been added to the dumbed down applications. Just wait until every phone and networked PDA becomes a source of viruses within the next couple of years ! You can probably add cameras to that list in about 2006.
7. John Clemence
Wouldn't it be nice though if the computer industry (in its widest context) took the same view as most other producers of home goods. Why should the general public expect to have to spend time (and money) maintaining, upgrading or repairing this particular household item any more than they do the televison, the fridge or the telephone.
Yes, of course things can break down and regular servicing can help - in the case of 'on-line' computers this should be automatic and transparent to the user, not the subject of an evenings tinkering once a week.
Just because a lot of us original and early ICT adopters still enjoy this sort of thing we shouldn't assume that this is the norm or indeed, that it is still an acceptable way to run an industry.
8. anonymous
Protection against viruses is the responsibility of you, the end user. It is not the responsibility of microsoft, the government or the IT department as they are not the users of the machine.
I have anti-virus software running on both my work machine & my home machine, and I update both of them 2 or 3 times a week without fail.
Which would you prefer - spending 5 minutes a week installing/updating your anti-virus software, or spending a few days without a pc or your data due to a virus protection???
9. Eur Ing Christopher Thoday
Users are absolutely right to blame Microsoft and the Government. It is about time the software engineering profession blew the whistle on this nonsense.
Microsoft Outlook and Outlook Express are designed to execute programs from within an email message. This gives the sender of a message the ability to execute a program on the recipient's computer without their permission. Microsoft should be required to disable this facility immediately.
Other products with a fundamental design flaw would have been withdrawn from the market long ago. Since this software is clearly not fit for purpose why is the Sale of Goods Act not being applied?
Also, since the NHS is one of Microsoft's largest customers the government should require that Microsoft fix this fault in all copies of Outlook and Outlook Express which they have purchased.
A further design fault in these mail clients could, if corrected, dramatically reduce the problem of SPAM. Just answer the question: why are the mail filters not effective on SPAM? Patent not applied for.
10. anonymous
With email generating viruses like My Doom it is not necessary for dumb users to do anything for it to spread.
Email addresses are collected and used to bulk email messages from computers which are set up for the purpose. This is repeated many times and the addressees name may be changed on successive mailings. Email addresses are also generated from domain names so that messages will be sent to Jim@xxxxxx.com, fred@xxxxxx.com, etc.
On receipt messages with false addressees will be rejected by the email client software and a rejection message sent to the apparent sender which furhter clutters the email systems.
Any email containing the virus will also be rejected by AV software and may also generate an auto response.
The attack is double edged. It generates spam while also attempting to spread the virus.
The easiest way to defeat a virus which steals addresses from your address book is not to use one. Mine is empty!
There is no substitute for good ASV software and I am currently using AVG, which is an excellent free service. www.avg.com
11. anonymous
At last the truth is out. Us IT professionals have known this for a long time because we have to deal with these so called 'dumb' users. Education is the key, but how do we reach the millions with clear and simple advice and instrcution ? Perhaps that large operating system monopoly should have been doing more ?
12. Cameron McLellan
I agree with Jim Winski to a certain degree, if IT Departments DID do their jobs properly then we would see far fewer outbreaks. Unfortunately there is always the 'X' factor or the User to contend with, some users just refuse to follow standard procedures when it comes to email & the internet. I do think that ISP's could do much more to prevent the spread of viruses.
13. anonymous
I'm a typical user. Not only do I have a anti-virus program, I've got a trojan detector and firewall, and anti-spam on my pc.Not had one virus.
14. Ed Webb
End users cannot be complacent or "too busy".
The criminals _are_ ultimately to blame but that does not mean you can ignore basic security.
I own a car, a house and a computer. I would not dream of leaving the first two unlocked with the keys in the door. Why people believe others are responsible for the security of their computer is a mystery to me.
Buy a lock for your front door, buy an immobilizer for your car, buy a firewall and virus scanner for your computer.
15. anonymous
I think that training and reminding users is a large part of the key. During the Mydoom outbreak, every single one of my users asked "What are we looking for if it comes in?". What more could an IT department ask for!!!
16. anonymous
Users of email are not "dumb."
I agree that most people don't understand how they are being used to spread viruses. But it's attitudes like the Novell executive that really baffle me.
They think their users are "dumb"? Us IT executives and programmers are the dumb ones, because we don't put ourselves in the place of a typical user. It's a shame that with all the years that the industry has had to work on things that there is still such a long learning curve for a person just to get to know how to use some of the most basic types of programs like email. Most end users are too busy making a living in THEIR profession (where by the way, many IT professionals who think these people are "dumb" couldn't understand half of what those customers do without a learning curve as well), to be concerned about how to use email. Many of them are getting along fine without email and other computer applications.
We need to stop thinking of victims of spam as dumb and come up with a solution. We're the dumb ones who made the applications so easy to exploit.
Eductation will help but there are probably better answers in the design of programs. I'm still waiting for a computer that turns on as fast as everything other electric appliance in my house, like my tv or radio. When is someone going to figure that out? "Oh, that's impossible because it has to boot up through all that information." Maybe we're still too "dumb" to figure out a way to do it.
17. anonymous
Users of email are not "dumb."
I agree that most people don't understand how they are being used to spread viruses. But it's attitudes like the Novell executive that really baffle me.
They think their users are "dumb"? Us IT executives and programmers are the dumb ones, because we don't put ourselves in the place of a typical user. It's a shame that with all the years that the industry has had to work on things that there is still such a long learning curve for a person just to get to know how to use some of the most basic types of programs like email. Most end users are too busy making a living in THEIR profession (where by the way, many IT professionals who think these people are "dumb" couldn't understand half of what those customers do without a learning curve as well), to be concerned about how to use email. Many of them are getting along fine without email and other computer applications.
We need to stop thinking of victims of spam as dumb and come up with a solution. We're the dumb ones who made the applications so easy to exploit.
Eductation will help but there are probably better answers in the design of programs. I'm still waiting for a computer that turns on as fast as everything other electric appliance in my house, like my tv or radio. When is someone going to figure that out? "Oh, that's impossible because it has to boot up through all that information." Maybe we're still too "dumb" to figure out a way to do it.
18. anonymous
One poster below compared security on your computer to "locking the door on your house or car?".
Please, get a clue? It doesn't take a week's worth of training to learn how to turn a key to lock up my house or car.
When will we wake up in this industry. There are a lot of smart IT professionals, but we keep thinking in our own terms and insulting the majority of people in the world as "dumb."
This is our challenge.
19. anonymous
One poster below compared security on your computer to "locking the door on your house or car?".
Please, get a clue? It doesn't take a week's worth of training to learn how to turn a key to lock up my house or car.
When will we wake up in this industry. There are a lot of smart IT professionals, but we keep thinking in our own terms and insulting the majority of people in the world as "dumb."
This is our challenge.
20. anonymous
First, I cannot believe the number of ignoramuses that identify themselves as IT professionals in their responses. Second, the same people have gone on to post sort of 'red-herring' responses with respect to the message carried in the article.
A large part of our problem these days involve people that have neither the skill to read properly, nor the skill to properly comprehend that which is being said!
21. anonymous
First, I cannot believe the number of ignoramuses that identify themselves as IT professionals in their responses. Second, the same people have gone on to post sort of 'red-herring' responses with respect to the message carried in the article.
A large part of our problem these days involve people that have neither the skill to read properly, nor the skill to properly comprehend that which is being said!
22. anonymous
An address book with no addresses in it. Brilliant! At last an end to email viruses. Why not just unplug it and never use your PC again. Gauranteed no viruses. Perhaps the software manufacturer shouldn't leave large holes in their operating system which need to be continually patched to prevent people exploiting them.
23. Homer Simpson
I think the responsibility is shared between users, software companies, ISPs and IT departments. The user is ultimately responsible for their own PC. However, they need to be educated and supported by their IT department or ISP. Over time we should expect the software companies to make software that better protects us (AV, OS and email). Years ago, I had an unprotected machine get infected by a virus. It was a horrible experience. The lesson I learned is that even one machine in my network unprotected is unacceptable. For workers, IT dfepartments must provide AV software and basic education. AV software that updates automatically is critical; depending on busy people who don't consider it a priority to manually update is not a good plan. For consumers, we should hope that ISPs could fill the gap for now by at least offering AV software, if not requiring it. There are decent free AV packages out there, and the premium ones aren't that expensive considering the pain of cleaing one or more computers. It would seem to make sense that protecting customers and their happiness would be good business for ISPs. But even with all of this "recommended" help, the user is ultimately responsible for their PC.
24. Diane
I don't think that using the word 'dumb' was appropriate. It's so easy to pass the blame...
Spam is a very big problem and it is getting worse on a global scale.
What about pooling resources to try and deal with it with all ISP companies, Microsoft etc? If there can be a way of effectively dealing with 'spammers' it's a start. Eur Ing Christopher Thoday made some valid comments in his reply to this article? It would be nice to hear what Microsoft, ISP's etc thought about this...
25. anonymous
Who is Ron Coates with his techie tabloid pulp headline? I expect Steve Brown to take a somewhat less than disinterested stance. After all he is part of the know-all IT industry establishment but a silicon.com reporter needs to be a bit more professional about how he uses the word "official" in a headline - "officious" would be nearer the mark.
Anyone who takes such an overall swipe at your average user is not really in the real world of work where what the boss says about "Do it now!" takes precedence over the best laid dictums of Microsoft, techie hacks and others about how to "Do it perfect".
26. leia jacobs
Dumb users keep my consulting business booming. The average virus infestation takes about 4 hours to completely clean.
27. anonymous
Nowdays Email is a basic office tool and the ability to use it sensibly should be a basic office skill. The 'it's not my fault I didn't know' attitude is no more acceptable than 'it's not my fault, I can't read' would be.
28. Dave Beall
I am a so called dumb end user. That said, I am learning. However, I subcribe to several daily IT NEWS letters just because of my interest in IT. Without these daily news letters, I would not have even heard of my doom or any other bad stuff. OK, with no knowledge of such attack, would I open an attachment? Probablly.....Glad to say that is not the case, I run AV,Firewall and router. The problem now is how to tune things. NO ONE EXSPECTS criminals to exploit this amazing thing we have...the net...I think the programers are part right and part wrong in their thoughts. I know that most programers and IT people do a great job with the tools and resourses they have. This IS a job for ALL of us!
29. anonymous
An empty address book is brilliant!!
It does cure the problem of stolen addresses from that source at least.
My address book is manual and separation of data from function is one of the best security protection devices. It just means a bit more typing.
If I really need an online address book, it can be a document file, or the addresses can be stored in a separate contact manager, which calls the mail client when required. It is address books which are embedded in MS software which are vulnerable.
30. MOLIOLIOI
Symantec AV Enterprise edition 8 has dealt with mydoom very well.
I have administered several IT systems over the years. In my experience it is usually sales reps and sales oriented staff who shirk all responsibility for IT and it is invariably them that are the weakest link. I have lost count of the times I have explained not to open dodgy attachments, and if at all unsure of its origin to come and get me. I have explained that to view an attachment you should save it to disk and scan it. Once infected they always give you the same response - *in a disgruntled voice* "I though we had an anti virus system that is SUPPOSED to do it automatically." They know they won't be disciplined for allowing a virus outbreak and they have no intention of learning how to stop them and less of actually putting it into practice, but they're the first to complain when the system is down for half a day while I have to go round innoculating all the machines due to their apatheic attitude towards their computing responsibilities. They are not interested in work operations and procedures just targets and deliverables. Unfortunately that is not the attitude of a responsible computer user. I liken it to driving without looking in your mirrors because you think people should drive safely anyway.
Engineers, draftsmen, accounts workers, designers, receptionists and technically minded managers I have no had problems with and are in some cases very pro-active in helping me with AV procedures.
I like the internet license idea. Not sure how you would implement it though!!
31. anonymous
There are 2 users.
1. User who wants to learn how to operate a computer, listens and understands what someone is trying to tell them.
2. User who doesnt care and doesnt have time to learn how to use a computer properly and responsibly.
People need to take initiative and pay attention to what they are doing.
Some businesses who lose millions of dollars because someone is clicking everything on the screen will think its very fair to mock the typical user.
32. anonymous
If they'd only use Macs....
But then if they're dumb enough to use a PC they're dumb enough to spread a virus!
33. anonymous
isnt it about time windows came with antivirus built in?
34. anonymous
Yes I agree the average user and even the daily user just don't get it.
35. Iain Mould
In responce to the mac user...
If everyone started using Macs instead of PC's then all that would happen is that the virus writers would start to target Macs insead of PC's. I work as a PC technician and as such spend most of my day removing virus's off peoples pc's who's only complaint is that its running a bit slow. If everyone installed and maintained anti-virus software the spread of virus's would not get very far.
Owning a PC is more like owning a car than a TV or Fridge. You don't expect a car to fill itself with petrol,water, check its own brakes,tires etc. Or expect the manufacturer to apear in the middle of the night to service it(for free), so why do PC's users expect their PC's to run without problems without some basic maintanance.
36. Gerard Chadwick
A Novell survey saying users point the finger at Microsoft, Hmm interesting. Who was surveyed, Novell users.
It is first and foremost the IT departments responsibilty to protect the system from any kind of attack. Patch management is a necessity, and there are plenty of tools available to help in this area.
Then, ongoing user education will help provide the best defence against virus spread.
37. Aaron D. Campbell
I think that this has hit the nail on the head. I see that some people are upset that this blames the end user. They say that if MS, the government, and IT directors did their part, that there wouldn't be a problem. As an IT director I can tell you that it doesn't matter how much these people do. If the end user doesn't listen, there WILL be a problem.
The statistics are staggering, but not surprising.
38. Marie Bissette
I am constantly amazed by the employees in my office who claim that they did not open an email message with a virus and then find that it has "bloomed" on their computer dozens of times and sent itself repeatedly to all their email clients. I hardily agree with this study, because these same people often blame someone else for infecting their machines.