I wish FRED was a high-tech acronym for something like Find, Resist, Examine and Destroy, but it's not. "Fred" means the person in your office who seems a bit smarter about technology than the rest of the folks on the payroll. Fred could be short for Frederick or Winifred. Your Fred could be Sam or Pat because the name or gender isn't important, just the competence to handle some simple security chores.
E-mail used to be the leading cause of critical security breaches, but spyware attacks through browsers is now the leading miscreant. Attachments remain a serious problem for small companies and large enterprises that don't keep their desktop protection systems up to date. One opened attachment full of malware on an ill-protected desktop, and your computers start wheezing and dying. Or worse, they start passing out spam to a few million of your friends, starting with your customer list.
Here's how the Fred System works: every employee who gets an attachment they aren't expecting forwards that e-mail and attachment to Fred. Now if you're waiting for a new spreadsheet from a supplier, you open that attachment. If a spreadsheet comes as an attachment from someone you don't know, send it to Fred.
Fred runs a security sweep before opening the attachment. Because Fred leads the security protection project, his workstation has up-to-date security software (Fred is one of those competent people who keeps up with software subscriptions, after all).
If the attachment includes a worm or virus, Fred deletes it. If the attachment is clean but not business related, Fred deletes it. If the attachment really is business related, Fred forwards it to the original recipient with a clean bill of health. Cost? A few minutes of Fred's time. Better security for no more money.
You've told everyone in the company to be wary of stray attachments, but people forget, misread the sender's name, or open without thinking. Now you can replace those confusing instructions about authenticated senders and hidden executable file extensions with one simple rule: forward all e-mail with attachments to Fred.
Some companies may feel it's easier to send all attachments to Fred. That eliminates any decisions on the employee's part completely, but Fred may get tired of checking so many e-mails. On the other hand, Fred rarely complains, and the Fred System is much safer than trusting each user to do the smart, security thing.
Another option is to get people to approach e-mail attachments the same way they use Caller ID. If they recognize the e-mail sender and can reasonably expect them to forward materials as attachments, they accept the file, just like they would answer the phone when they see a name they know. If they don’t recognize the name, they don’t open the attachment, just as they wouldn't answer the phone if they didn’t recognize the Caller ID.
You train Fred on attachment security, ensure that workstation has the latest and greatest protections, and reiterate everyone sends unexpected attachments to Fred. If a virus gets loose through an e-mail attachment, you only need to go yell at, er, retrain one person: Fred.
The same approach works with the newest scourge of individuals and small businesses: phishing attacks. Any suspicious e-mail with a link should also go to Fred. Don't expect everyone to know which vendors are sending you questions about your bank account, just train them to forward the message to Fred. Send any e-mail from a bank, supposed vendor, supposed customer, or just anything fishy to Fred, not just attachments.
Using his secure workstation (and probably the Firefox browser for added security protection), Fred can investigate any suspicious links in suspect e-mails. If safe, Fred forwards it. If not safe, Fred trashes it.
Can you train one Fred in your company to follow those rules? Sure, and it's much easier than training everyone to be wary of odd attachments and phishing attacks.
Will such a system improve security without increasing your budget? Absolutely.
Try the Fred Security System today. All you have to lose are viruses, worms, and phishing attacks.