I read a rather sad article on Slashdot this morning about China’s Construction Bank servers being hacked and conducting phishing scams. In many of the comments I see users being blamed for being stupid, and one poster even refered to the majority of American internet users as “a bunch of mouth breathing, knuckle-dragging morons.” This kind of attitude only continues the “class war,” if you will, between IT and users. When you spout off with elitist comments you will be seen as elitist. (Imagine that.)
I submit that the majority of users are not stupid (or even “mouth-breathing, knuckle-dragging morons”), but are uneducated in the field of IT security. I am not advocating teaching every user every aspect of security (firewall construction to net monitoring, packet filtering to reverse-engineering malware), but the simple parts that directly affect them. How to tell a legitimate email from their bank/paypal/ebay/etc from a phishing scam. How to use antivirus and anti-spyware programs and keep them up date. How to make sure they are getting the proper updates for their OS and programs.
Some of it may seem like common sense to someone in the IT field, but that only comes after you have learned it. It is too easy to forget that once we, too, were ignorant of these things and they had to be learned. None of us were born with an instinctive knowledge of how to check the source code of an html email and see that the links go somewhere other than where they appear to, or how to install and configure an antivirus program, or any of the rest. The trick is to pass the knowledge on to users in such a way that it becomes common sense to them as well.
