Do you remember the good old days? Innocent times spent sharing documents and executable files without a care in the world. Okay, every month or so you might encounter a boot¹ sector virus — but they were easy to deal with even if the anti-virus software didn’t pick them up. 　

　But those long lazy summers disappeared too fast. Macro viruses² made Information Technology (IT) administrators grow up fast as they realized there was a type of virus which could spread very quickly throughout an organization. It wasn’t unusual to find hundreds of computers within one company infected by viruses transmitted via e-mail attachments. The IT staff were amongst the fittest departments in your company, running from personal computer (PC) to the next cleaning them up. 　

　There had to be a better way. Companies now realize that viruses aren’t “urban myths”, and can have a serious impact on their operations. They invest in anti-virus software on the desktops, servers and e-mail gateways and even put in place procedures to ensure their anti-virus is up-to-date with the very latest detection routines. 　

　It sounds like companies have put in place adequate defenses to protect against viruses. But have they? 　

　Anti-virus software detects most of the viruses your users are likely to encounter — often without the user even knowing. However, the software must be updated regularly, preferably daily in any large company. Even then, a very new virus can infect your users. With the rapid transmission of files through networks and the Internet, a virus can spread a considerable distance before it can be identified and protected against. Fortunately, only a few viruses ever do this but the likes of Melissa³ and the Love Bug⁴ can inflict serious damage before their progress is stopped. While employees become suddenly aware during the ensuing media excitement, they soon forget about the virus threat as the stories disappear from the news headlines. 　

　This is the danger. Complacency can set in when there is no perceived “action” on the virus front with no global crisis, and the importance of being vigilant about viruses recedes in your users’ minds. They forget what the big deal was in the first place — after all, the anti-virus software deals with the viruses, doesn’t it? And isn’t it the IT department’s job to look after this sort of thing? 　

　Before you know it, your users are opening unsolicited attachments once more, downloading unauthorized software, and putting your company’s data and credibility at risk. All because the users think that they are working in a safe environment. Employees see anti-virus software, firewalls and IT departments as guarantees that their computers will work and will be safe. Of course, there aren’t any guarantees. Anti-virus software plays one, albeit important, part in the defense of your company from malicious attack. But the security of your computer system is only as strong as the weakest link. And that, more often than not, is the human factor. 　

　No employer wants to come across as a killjoy or an ogre. Most will willingly accept that the happiest employees are those who feel that they are respected and trusted by their employer. Many companies accept that employees will send and receive a certain amount of personal e-mail and make the odd personal telephone call. 　

　However, the worry comes when employees start risking company security in pursuit of personal amusement. Funny screensavers and games downloaded from the Internet can seem harmless enough but they could easily be harboring a dangerous virus. 　

　Software downloaded from the net is often unlicensed and unsupported, and may cause conflicts with existing software in use at your company. Unlicensed, pirated software is an ideal vector for a computer virus. Virus writers and hackers⁵ often use such software as the ideal “kick-start” for their virus distribution.　

　It is vitally important that employees be educated about the virus threat but this cannot be a one-off event. The potential threat should always be in the back of an employee’s mind and precautionary measures should be taken as a matter of course. There is no harm in reminding people about what could happen if they let their guard down. In the end, education is the key to a virus-free environment and this is a continual process. It may not be the most exciting thing on the agenda, but it works. 　

　The lesson is simple. You can have the best software in the world protecting your company’s defenses; you can even be the biggest IT company in the world; but without your users practicing safe computing they will always be the weakest link.