Originally posted here by Tiger Shark
.... there is nothing that grabs the attention of the users like a quick "public" firing for breach of computer policies and a regular letter to everyone making it quite clear that you monitor and log their every move......

Another little tactic I really love.... .... is seeing someone doing something just a little out of line like getting blocked trying to get to their AOLMail and doing a little net send saying:-
Allow me to differ on both points.

Suppose you have draconian rules, which everyone has read & signed etc.etc.

Now we all know that people are going to break those rules:

Fred surfs to some dodgy sites, downloads & runs a 'fantastic new game' which infects his computer & begins spreading itself via email to addressed in the contacts list..

So a quick public firing happens & everyone is well behaved for a couple of months.

2 Months later John does something similar and realises that his machine is propagating viruses. Now he knows that if he says anything he's going to get fired - so he says nothing & waits for someone else to point this out.

This isn't what the security folks want, they want to know straight away a problem occurs so that they can shut down the mail server, pull the network cable from the problem PC etc.

The issue is about socail engineering: A good SE attack begins by gathering knowledge about the target and using this to best effect.

Bert, who has a problem with his Excel Spreadsheet, decides to post to a usenet newsgroup using his works email address - [email protected]

Joe, aggreived customer of HisCompany is plotting revenge and is searching the newsgroups for '@hiscompany.com' and then reads the article about the Excel problem. Joue begins the dialogue with Bert to fix his problems - which results in Joe sending Bert a spreadsheet with malware attached, thus gaining control of Bert's machine and wreaking havoc and bringing financial ruin to HisCompany

Encouraging employees to use AOL & Other external mail accounts for anything not directly work related reduces the risk of offensive material within the organisation and also helps to keep the information that can be gleaned about a company to a minimum.

So what does this mean for the rules:

It means rules, signed or otherwise, are not an answer to an organisations IT/IS Security.

IS/IT Security is a business issue, that requires the whole business to be involved in, and everyone to be educated to understand the risks they take every time they are using their PC.

But as far as the bosses are concerned it easier sending out the 'rules' to people & assuming that's the problem solved

Just my 2c

Steve (Consultancy fees are £750 per day if you want you business educating )