Training the office to avoid malware. Is it worth it?

Our new office antivirus software makes it pretty easy for me to determine the website from which a user downloads malware. It occurred to me that I could make an effort to train the office staff how to avoid malware. This is especially true if I could point to a couple URLs and say, "This is where your bugs came from." Here's the question: Is it worth it?

I could see doing this only for malware that my antivirus software assigns a severity of high.
Are my office staffers, however, simply going to go to the sites they want to go to? In other words, will my warnings fall on deaf ears?
I also want to avoid the appearance of being "big brother." We run a pretty informal office. I have no interest in knowing where staffers browse (nor does the office manager).
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Training the users is certainly worth it, but in my opinion it's not really about which specific  URL's are bad and which aren't. It should be more about the general behavior of the users, and to use their common sense. For example not click on everything you can click on, or not use insecure browsers like IE, but rather firefox.
Hello jdana,

You have implemented security which is step one, and training is critical to avoid complacency or bad practice.  It is not a big brother thing you are trying to implement, moreso it is awareness of risk associated with habits in this nil standards world we currently work in.  

I use MS Security Essentials  which is good enough for most things but it like any virus software does not always tell you what is affecting your system.  I find blocking programs like internet security packages generally ask too many questions about files and eventually cause complacency in the user.  eg you get sick of making decisions about whether or not you should allow something to enter or run and you end up allowing something to run and be permanently allowed based on the app that provides the decision options.

My policy is to run a FULL scan, at least of your C drive after you have been on the web a lot, and have had a lot of popups based on your browsing activities.    1st dump the cookies and history of all browsers you use.  Then run a full scan.  Ensure the documents and files that you have received are also scanned, eg located on your data drive D.

Once you are cleared then you can proceed to access banking portals etc..   It doesnt matter what software you use  I have seen even the best ones pick up a virus at least 3-5 years after it was stored...

Finally it comes back to the user to make the decisions about their system security.  Computers are not that smart!  There are too many sites that yield malware and you would not be able to stop them all.  At least staff vigilance and understanding may help them work with each other to minimise risks.   No company = no they have a vested interest

hope this helps
What if your words perfectly reached people? Would that satisfy your security needs?
Let's say you could reduce infections by 50% (which would be an enormous victory in the first place) - that would still be too many for me.

Either we risk to lose the company's know-how or we reduce the comfort dramatically and trade it in for security. There is not much in between. Users will never be smart enough to keep up with the security problems they face.

Think about adopting technical measures that really work: use applocker or software restriction policies. Abandon "direct" internet access but use a remoteApp-browser.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

I am sorry.  I believe, the probability is high, that your warnings may fall on deaf ears and you may be perceived as a "wise guy".

Again, sorry.  :-(
Rich RumbleSecurity SamuraiCommented:
It's been proven to be NOT worth it, but you do have to look like you're doing something, so often, that is the something people try to do. That is not to say it won't help you here and there, you could certainly see a reduction, but that is about all.

The problem isn't so much user education, or the lack thereof, it's that even legitimate sites and browsing activity can be compromising. You have to practice defense in depth, and start at the root whenever possible.

The root turns out to be the rights the users have. If they are local administrators, any thing that gets through all your best defenses, is now an local admin to. You have to remove the admin rights. It might not be the first thing you do, but make sure that is the goal you are working toward.

I have a client with 3000+ workers, no admin rights, no installed antivirus, and no infections. It's unique, not everyone can do it, but there are layers of security. A proxy with AV scanning everything in/out. No egress unless it's through the proxy. Computers are scanned nightly with AV remotely and with the OS turned off (PXE booted). Users do not have IE as a browser option, only Chome and FF, M$'s EMET and lot's of security settings so the users can't store anything or plug anything into the computers.

There are pop-up's and something ad-ware like crops up on a daily, but not much more than that. Again that's an extreme case, but one I saw through to the end and still maintain. Makes being audited for PCI/SOX tough every year explaining no one has AV installed on a windows machine, but they pass nonetheless.

If your going to use IE (please avoid it esp if admin rights are involved) make sure you have the SmartScreen feature enabled. You can test it by going to the M$ hosted site called If it's enabled you'll see a warning, if it's not, just a page with an icon saying "malicious ad".

Firefox and Chrome have the same kinds of test's you can try (chrome no longer recognizes...)

I really like AV scanning proxies, but you have to force users on to them, and make sure there is no other egress for http/https traffic. Proxies don't work with 100% of the traffic, so there are going to be by-passes or white-list that will be allowed to by-pass the proxy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jdanaAuthor Commented:
Great discussion guys. I have to admit that I agree with aadih. I tried to police the office more and fellow office mates begin referring to me with terms much nastier than "wise guy." Lot's of good advice.
Great. Any advice is only as good as a good listener. :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.