Slashdot Mirror
Computer Competency Test For Non-IT Hires?
wto605 writes "As computers are used for more and more vital business functions, small businesses must have office employees who understand the dangers of, and how to recognize and avoid, malware, spam, and phishing. After having been stung by monthly virus cleanups (at $75 an hour) due to an otherwise competent office manager, my parents have realized they need to be aware of their employees' computer skills beyond the ability to type a letter in Microsoft Word (currently the closest thing they have to a test of computer competence). The problem is, as a small business, they have no IT expert who would be able to judge a potential employee's competency. I'm wondering if anyone knows of a good way to test these security/safety awareness skills, such as an online test, a set of questions, etc. I have already pointed them to Sonicwall's Spam and Phishing test, but it definitely does not cover all of the issues facing computer users."
Anybody can have a bad day.
Just because someone is competent with a computer doesn't mean they can't be the vector for an infection. If you start with that premise you'll realize how completely futile it is. What you need instead is a tutorial program to reduce risks. Things they should and shouldn't do, etc.
And proper anti-virus processes and procedures.
competency tests are all racist. they only seek to restrict minorities. you cannot legally require these - the courts have ruled. live with it, right wing tea bagger.
Why offer general internet access from office PCs anyway? Lock them down tight. If you want to be nice, have an unlocked PC or two with a completely separate Internet connection that can be used during break times for any minor personal details - checking personal email, reserving plane tickets, etc.
A lot of people can recognize such things already. They just don't want to take the time to bother with it. So dock the cleanup costs out of their pay, suddenly they'll be a LOT more careful about what they trust.
When I was younger, the mother of one of my friends was bad enough about it that her computer needed wiping on a weekly basis. My friend wasn't much of a computer person, but he at least knew what not to do. Unfortunately he was stuck using the same machine and so still had to deal with it. For a while I was fixing it for them for free since he was a friend, but when I started charging $20/hour for cleanup his mother changed her ways amazingly quickly.
GENERATION 667: The first time you see this, copy it into your sig on any forum and add 1 to the generation
But the place I work at gave me a computer with Ubuntu installed to use. I requested this after the McAfee incident last week. Apparently I'm the only one...
Gave them do a couple of tasks 1) Give them a website to go to pull data from (could be anything you can put in a spreadsheet - weather, money, but something fairly simple should do) 2) Have them open excel and plot averages, totals, means, etc... (you can choose what is relevant) and make a chart of the data 3) Have them open word doc and insert the chart/data table into the word document and describe whatever data is there 4) Have them make a crappy 1 slide powerpoint slide to demonstrate it (still including the graph 5) have them save the file to a network drive after they map to it. 6) Lastly have them use the search function of whatever OS you're using to find said document after everything has been closed nothing too difficult, and these are relatively routine tasks that most office workers do on a daily/weekly/monthly basis.
Get parallels or VMware if they really need Windows from something, have them run it in a virtual machine. Yes there may be an upfront cost to switch from MS Office for Mac from the windows version, but if the VM gets infected, nuke the VM and install a fresh one.
Something we learned real quick was that higher up front costs with macs were quickly recovered since we weren't dealing with these type of problems on a regular basis.
Hell, I have programmers that are good programmers but frankly don't know the first thing about systems administration.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
If the user does not have admin rights to his workstation, 95% of the problems go away. Don't throw out otherwise valuable workers because of lack of competence on the part of the sysadmin.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Previsor has extensive pre-employment online skills and knowledge tests. One from their catalog that comes to mind is the Information Security Awareness test, described as:
This is an adaptive test that measures the candidate's knowledge of information security. Designed for general computer users, this test includes the following topics: Computer Best Practices, Computer Ethics & Misuse, ID & Data Information Theft, Internet Best Practices, Passwords, Physical Security, Sensitive Information, and Viruses & Other Harmful Software.
http://www.previsor.com/products/assessments/catalog
Make them run as user without any admin rights. Problems solved.
~ Mooga
It certainly isn't a bad idea to test new hires. I currently have a non-profit client that has a large number of service staff that use laptops. A majority of them have absolutely no clue how to use the computers. Most see the application and confirm they know how to use computers. Frankly I believe laptops are reserved for slightly more advanced end users. We were back and forth with this client a couple times a week because their most recent user was completely computer illiterate. She didn't know why her laptop wouldn't stay on.... I checked the docking station and the power cable was not connected.
Many state agencies require prospective admin staff to take an exam before they can apply for a job. These exams cover a number of topics that have to do with the level of job they are going for. I don't see a problem with developing similar standards for non-government jobs. Then again its tougher for a small business with no IT staff to go through this. What I would recommend is to get your parents to hire an outside firm to help them not only with their IT support but with educating their users. They should easily be able to develop a hiring quiz for new hires as well as develop training plans for users.
Locking down the workstations is also not a bad idea. Get regular users out of the local admin groups on the workstations. Make sure AV is being properly updated and even look into installing a small business class firewall that does some content filtering as well as gateway AV. Sonicwalls provide these services and usually at a pretty good rate.
Good luck!!
Dewser - all around techy "In the immortal words of Socrates - 'I drank what?'"
I've started seeing companies go the route of getting rid of workstation computers. You, dear employee, get to bring in your own computer and connect up to our virtual workspace environment. No data ever ends up on your computer, and only a couple of key ports are open to our virtual space. The virtual space can't get to the Internet, you don't have admin access, etc. You can do whatever you want on your own computer, but when you get a virus, crash the OS, bust a hard drive, it's your problem to contact your computer vendor and get it fixed. You get a day to get that resolved, or we start making you take your vacation days or get docked pay until you're back up and running.
May sound like crap, but there are potentially some real benefits to getting workstations off of IT's plate.
----- Connection reset by beer
Have the pre-hire install Ubuntu. No prompt, no job. Ubuntu can do anything.
But from what I've seen there's no good answer. Management in small businesses (and in business in general) is usually not concerned with someone's computer security skills or credentials, unless they're hiring someone for an IT position. Even then, it's not uncommon for someone without basic skills to make the cut.
As an IT manager (or, the only IT manager) at a smallish (25 seat) company, I've been confounded by the fact that management doesn't seem to care about basic IT literacy. They're much more concerned with how qualified someone is to be an accountant, an admin or a lawyer (and I'm not picking on any of these professions -- just using a few examples).
Unfortunately most people who possess these skills (valuable non-IT-related skills) don't know much about computers -- and the older, more experienced (and thus more valuable) employees tend to know even less.
I once tried to get a basic IT related questionnaire added to our interview process for all employees. Management wasn't interested because they feared that it might disqualify an otherwise valuable employee. I've long since come to terms with the fact that at most companies, IT skills are only important for IT-related positions. Sure, they may make an applicant slightly more attractive, but it really has no influence over the hiring process.
But since you ask the question -- if it were a perfect world (at least, according to my definition), we wouldn't hire anyone for a desk job that couldn't type at least 40 wpm. We wouldn't hire anyone who couldn't explain the differences between a good and bad password. We wouldn't hire anyone anyone who thought thinks it's safe to give their password out to a stranger or to click on a link that they didn't trust.
But that's not the world we live in. Unfortunately, if my company were to stick to those guidelines we would have to downsize dramatically. We'd definitely stop growing.
The truth is that people who aren't involved in IT related work generally don't care about IT. And while I find it frustrating, I can't blame them. For most people, particularly older people, IT just doesn't make sense. Unless and until it does, good luck!
Facts have a liberal bias.
Seriously - with real and useful UAC, it will prevent most of this crap.
I want to delete my account but Slashdot doesn't allow it.
but you can't fix stupid.
.... uhm start using limited accounts, maybe? you know, just maybe? http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/usercpl_overview.mspx still doesn't fix adobe reader flash nor java zero days, but goes a long damn ways.
Hire *good* people.
Step 2: work on developing their skills.
You see, what you're asking is like "how do I handle all the fame and adulation after I become a rock star?" The hard part is finding good people. If you can find 'em, they're worth training because they're *trainable*.
So if you've got somebody who can do a great job and adds to the team, but doesn't know what the hell phishing is, don't worry about that. You can teach a good hire what phishing is. You can't teach a bad hire who knows what phishing is to be a good employee.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The solution to this is simple:
1. Make sure you have an Enterprise licensed AV installed. The per-client cost is low, and the updates will be centrally managed by the server. If your network is too small for this to be cost effective, then just have Norton AV (or your favorite respected AV) on every machine in the network.
2. Don't give your employees local admin privs. This one change has, in my experience, made all the difference in the world for many small businesses.
This is much cheaper than paying the labor for having an IT person come in and clean up all the messes.
Got 10 out of 10, but doubt few people could, especially with the limited information shown.
Some of those they consider "legitimate" are very borderline in my view, especially that UPS one.
Also, the testing site makes a big deal about misspellings and formatting in some of the "phishing" emails. And yet the The Bank of Choice one, that's supposedly "legitimate", has an obvious spelling error in it too!
Ron
To test if they're too noobie for the job, design a form on paper that phishes their info. Personal info, more private that your regular form at Burger King. If they fall for it, kindly show them the door. Hire the ones that alert you of the problem.
If they know how to navigate the file system, file manager or whatever, they know enough. Otherwise no.
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
Keep it simple, stupid, as they say. Remove local administrator and the person using the computer will find it impossible to fuck it up no matter how hard they try.
Lets say I'm in the sales business. Hiring this 1 guy will make me $1,000,000 profit per year. Except he's a total moron with computers. Lets say he needs a full time IT person to make sure he does everything right. That person's wages might be $100,000 per year. That's still $900,000 profit per year.
How about the incompetent barely managing to justify their own job people? Maybe these people need to be squeezed as the article suggests some remedial courses to be brought up to standards to reduce costs to the corp.
But I disagree with both. I think we in IT should be implementing systems that eliminate the risks associated with phishing and malware. Principle of least privilege already accounts for the people being knowledge for things software cant fix.
Kind sir, computers are "fad". A mere inconsequential passing fancy. Computers are either used as tools of amusement (aka Windows, the formerly best $80 Solitaire game money could buy) and for destruction of the world (aka, hypertrading systems on Wall Street and cruise missile guidance systems).
Why does a small business need computers? Think about how much more efficient you could be without all of those mumbo-jumbo computers and all the click-happy workers amusing themselves while back-doors and trojans compromise your network and data (on company time of course).
Carbon paper, filing cabinets, and shredders. This is the path to an efficient small business. You may even want to question why your small business needs so many phone lines. Sorry I could not be more helpful, but just step back and ask yourself, "is all this technology really necessary?" I think you will agree, it is a fad that simply over-complicates everything.
Myself, I'm mostly a self-taught computer geek. Many of you are also or are at least aware of acquaintances or friends who get by being self-taught, I've always been a firm believer in competency tests vs. degrees.
Work experience is another consideration, as I would test the competency of either a grad or a long-running self-taught previous employee somewhere else. The applicant's general knowledge may be good and well documented, but how are they able to specialize when the need arises?
I was able to ge promoted upwards to the career I have now based on the merits of my passion to learn -on the job or not- as well as well as my ability to apply new ideas quickly. Not everyone is as lucky whether they have the skills or not. which is why I believe a lot of budding IT professionals and/or programmers would get in the door a lot easier with a competency test. On the flipside, maybe less losers would get in the door too.You never know, it could happen. :)
Think of the school system. You do not test someone prior to teaching them.
Install an antivirus that locks down their computers: tracking changes in everything except for My Documents and their desktop. Registry changes should also be rare...they shouldn't be installing anything.
Done.
I work in a military hospital where I'm required to complete many computer based training modules before I'm even allowed to begin to do my job. This means somewhere around 70 military tests along with several others including network security need to be completed within a short amount of time. This isn't even counting the classes and training for hospital based computing and procedures for patients. The results are people blowing through them as quickly as possible and new employees and staff passing the answers around for the tougher ones to get their orientates through the process as quickly as possible. No one will legitimately look at any required tests such as these as important as the person who made them required nor will they be motivated enough to care why they should even understand the reason for taking them. The only way to motivate people to do the right thing is through fear of doing the wrong things. IE all computer communications are monitored and you could potentially be punished for visiting the wrong websites and or accidentally infecting your computer with a virus, or giving a reward for doing things the right way IE a day off if your department goes incident free for a quarter.
Ensure staff do browsing via a virutal machine or sandbox.
The current windows malware threat is not fully addressable by training. Some exploits are hitting people who have done nothing wrong. By all means train people, just be aware that no single measure will fully solve that issue.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Sit them in front of a Windows box setup with only IE and Mozilla icons on the desktop.
Ask them to lookup information on a competitor.
If they pull up a command prompt and start shutting off useless Windows background services, they are your new IT person.
If they launch Mozilla, hire them.
If they launch IE, show them the door.
If they pull out their cell-phone, put them in sales.
Poorly word tests can knock out good IT works as well.
\Poorly word tests / trick questions can
If they use/provide company vehicles, would they test potential employees to see if they know how to change brake pads or replace a timing belt?
Relying on some test to see if people know not to open an email from "Hot Sex Machine" with a "cool app you must see now" is lazy IT administration. I know that small businesses often cannot afford an IT person, but to rely on some test is bad management. Are they going to retest people every year to make sure they're up on the latest scams or social engineering techniques? Will they pay people to take the time to educate themselves on this stuff?
I'm sorry, but this would be like requiring employees to provide their own safety equipment, develop their own lock out/tag out procedures, and maintain their own confined space entry plans. It'd be like saying, "We don't have to implement safety guards because we test whether people know not to stick their fingers in moving machinery." Such things are the responsibility of management. If management provides a tool (a computer, a machine, a car) for an employee to use, it is the responsibility of management to maintain it and provide the proper training on it. Otherwise, it's just pushing the cost off to the employee.
I understand that as a small business, this may be a challenge for them. But if they rely on some test, they're going to end up with a hodge-podge of protection with some minimal baseline. This is not good management.
-- Fugacity: Confusing chemists since 1908
...when troubleshooting web applications. A copy/paste of the error message won't tell you:
1. Which web browser is being used
2. Which page the error happens on (being able to see the exact or most of the URL).
3. The exact nature of layout bugs.
I agree that pasting screenshots into Word is bad, I've even been sent reduced res screen shots (about 480px wide) where you couldn't see anything useful.
The European Computer Driving License may be helpful here. See http://www.bcs.org/server.php?show=nav.5829 for a syllabus.
Current security is inadequate. We need to switch to whitelisting instead of blacklisting.
I know the Microsoft/car analogy blows, but really, we all need to stop blaming end users. Dev's and IT folks need to stop accepting crap as "good enough".
I don't want my car to be "good enough" most of the time. I want it to be safe. My software and OS should be the same.
What a lame bunch of crap.
Also, some of the questions are very US-centric.
The Discover Card one caught me out because I thought 1800 numbers were freephone in the US (0800/08000 numbers are freephone in the UK) I did miss the From address on that one but that can easily be faked anyway.
Also the second IRS one. I wouldn't know what a 'Letter of Deficiency' is or what the correct URL for the IRS is.
This just sounds like an IT guy whining that someone's making him do his job. If they're not setting up/fixing/managing workstations, what is their job? I know there are some legit IT jobs that aren't workstation oriented, but it seems like the point of an IT department in any bigger company is mostly to make the computers which everyone else works on function correctly.
I worked for a software division of a pretty highly-ranked fortune 500 company for about 3 years. In that time, 99% of what was on the IT guy's to-do list(which was publicly visible and available to add to on the intranet) was related to workstations. There was a daily backup to a data storage company(they actually came and swapped out the backup drives and took them away in a lockbox) and in 3 years probably 3 times they had to increase storage for the company-wide server shares. There may have been a handful of other things they did which didn't make it onto their list, but other than that it was ALL simple workstation stuff like "Add more RAM" or "Reformat to new OS".
It doesn't make a whole lot of sense to me that IT people complain about the workstation users as much as they do. It's what they're paid to do. If they're not happy with the job, maybe find something else that suits you better.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
You can almost always circumvent Phishing schemes by going to the website to verify. It isn't a case of "LEGIT" or "PHISH". It is assume "ALWAYS PHISH" And many phishing attempts I've received have clues. Clues are normally a hyperlink that says "Login to Paypal", but when you hover over it, it says: www.someplaceelsethanpaypal.com.
Its nice they were thinking of a test, but if someone answers PHISH for all 10 questions, hire them.
God spoke to me.
The flip side is to test I-T hires to see if they have clue one about the company's core business. I can say for sure the I-T where I'm working right now have no idea what the company does or what would help people achieve the company's goals. They just know how to inform people that something is not working and it's Microsoft's fault, not their fault.
Where I work (hotel), I'm the only tech-savvy employee. In the two years I've been employed here, one of the front-desk systems (running XP in administrator mode) has gone down for at least a day because of malware/virus problems 3+ times (once since the outsourced moron installed anti-virus software). More than that, some of the smallest problems result in calls to tech-support that is billed per call. By having novices using this equipment, the cost of operating goes up quickly.
Hiring competent employees means less calls for tech-support, and fewer (zero?) days of down-time from malware/virus issues. Hiring mechanics that know how to drive a manual transmission is beneficial for repair shops, plumbers should know metric and English systems, insurance agents should know basic math (or how to use a calculator); why shouldn't everyone who handles a computer (read: MS products) know the basics?
30 year old former admin now a project manager and systems analyst - I was once like you. I thought it was my job to ensure everyone was competent enough to solve the majority of their own client troubles and thought that they were so incredibly naive that they would destroy the entire company if they had a little bit of access I wasn't controlling. Then I learned that the world went and changed and that IT is now just an appliance, a tool, just like a pencil sharpener or a hole punch. The sooner you learn to make IT work for the business and not the business work for IT the happier you'll be and the better the company will be.
I would be happy if at least IT staff would have such computer competency test.
- Dressing and grooming standards - you should look the part of your company ... you want self-expression, start your own company - until then, your paychecks are signed by the same guy as the accountants and marketing group
- Learn to communicate - written and oral communications. Not just using the right words, but the ability to confidently speak your mind in an appropriate manner. I can't tell you how many programmers I've worked with who were heads and shoulders above me in coding, but who I could always show up in meetings.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Simply ask each potential employee what OS they use at home. If they respond that it is a Windows OS do not hire them. If they use IE at home take them out back and put them out of their stupidity.
The ECDL foundation run a computer skills accreditation programme that's widely used in Europe and has an increasing international focus. This covers a range of areas of computer competency; I can't see internet safety mentioned, but if you get in touch with them, they may be able to help you.
The world has changed and we all have become metal men.
Have the employees make the ECDL or have it as a prerequisite to applying for the job. The ECDL is vendor independent and standardizes the training of basic 101 computer operations skills. They should have some basic security training in there as well. Definitely worthwhile checking it out.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
It can't be expected that everyone will understand the vectors for infection. Part of the burden the IT staff carries is that people will do things to open the network environment to malicious attacks. What worries me more is the fact that there are people in positions of responsibility who haven't a clue about security. The biggest blip on my radar screen is a local health care provider, the Director of the facility hired her boyfriend to be their I.T. guy. I witnessed this clown downloading cracked software and installing it on health center computers, he was all puffed up about his USB drive that had x number of gigabytes of utility software on it and he didn't have to pay anything! In hindsight I should have gone straight to the BIA or the CEO of the hospital, but I approached her off the record and she said she would deal with it (yeah, I am a naive trusting soul). How about an ethics test for IT staffers in general to weed these scumbags out of the profession?
It depends on what you are doing with your computers and what flavour they are. As someone who is really really really bored of training people older than me, paid 3 times more than me, how to config POP, Windows, OSX, the fax, their phone etc... I totally agree, anyone in a job that needs to use a computer should know how to..... use it. Have you considered sitting job applicants down at a workstation and doing 10 minutes of hands-on testing? eg..here is a laptop, can you use the search function to find (inside 2 mins) the documents placed somewhere titled: 'incompetent noob', 'useless bluffing greyback' and 'I saved it somewhere in here'....? Or if you really want to get tuff, how about pluggin in all the bits of computer together in 2 mins? I am sure you can make up some good fun tests.
Waiting for the other shoe to...
Possibly send potential applicants a request for information such as SS#, Full Name, DOB etc. If they provide it no-question, then you have to question their security sense?
The simplest way to massively reduce (but not completely eliminate) the risks of problems, all of which can be done by the admin staff when setting up the PCs.
1) Make user accounts into limited user accounts.
2) Configure Windows Update via group policy.
3) Configure Anti virus via group policy.
If the users can't get admin privileges then anything they run will be largely damage limited plus they won't be able to undo 2) and 3).
At least once a week one of us has this conversation:
us: Right click on the desktop
them: Left click?
us: no, right click
them: where?
us: right click on the desktop. The background you see when you don't have anything open.
them: Ok. Click twice?
us: no, right click once
them: Ok.
us: now left click on Personalize
them: with the left button?
us: Yes
them: just once?
us: yes, single click
Or the even better copy and paste
us: highlight the text
them: how?
us: click and hold and move the mouse
them: I clicked and moved but nothing happened
us: Did you double click?
them: Oh, just click once?
us: yes, click once, hold, and move the mouse
them; Ok, it's highlighted. Oh, now its not
us: did you click again after you highlighted?
them: yeah
us: click, hold, move, release and nothing else
them: ok
us: now hit ctrl+c
them: At the same time?
us: yes
them: where's ctrl?
us: by the space bar
them: at the same time?
us: yes, ctrl+c at the same time
them: ok
us: now click where you want to paste it.
them: Double click?
us: no, just once.
them: I double clicked and it highlighted a word.
us: just click once
them: ok
us: now hit ctrl+v
them: at the same time?
us: yes, same time
them: ok
us: hits head against wall until the pain stops
it's hella-faster than typing, so productivity goes UP, and the worse the typing-skills, the moar it goeth uppeth.
Aim into results, not the specific method!
...past US supreme court decisions have found that if there is any effective discrimination of testing procedures it is illegal, even if the test is demonstrated to be directly relevant to the position and the test is not intended to be discriminatory (Griggs vs Duke Power Company, 1971).
This is the reason for credentials inflation--private companies are afraid of getting sued for generating their own skills testing, so they just ask for higher and higher degrees every few years for the same jobs, even though the actual duties of the jobs don't change.
Jobs that used to ask for high-school diplomas twenty years ago are requiring bachelor's degrees today.
And colleges (being morally above the barbs of such intellectual accusations) engage in race-normimg, to make certain that more and more people who should have failed are passed anyway.
http://www.popecenter.org/news/article.html?id=1749
Good luck!
~
"I've never had any of my computers, running Mac/Windows infected by anything that I know of, I don't use any sort of protection either..."
Well there's you're problem right there. If you're running Windows and connecting it to the net, it is infected as a matter of course whether you choose to become aware of it or not. The only way to prevent it, is to not use Windows.
So on behalf of all the Fortune 500 companies, for whom I do not represent, and on behalf of all the rest of us, whom I don't represent either, who feel the pinch from there elevated operational costs may I be the first to extend a heartfelt, sincere "FUCK YOU, VERY MUCH" to you and any horse you might have ridden in on.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
> I've never had any of my computers, running Mac/Windows infected by anything that I know of
The last person who said that to me had extremely bad halitosis, almost no teeth and venerial disease. What you don't know can kill you slowly.
As an IT leader/decision maker in a corporate environment, I would consider this a personal failing and an IT department failing. We (IT) are the experts. We have the skills and knowledge. If someone does not have the skills or knowledge to use a corporate tool (PC, server, network, etc...) it is OUR responsibility to provide training.
I have a "technology orientation class" periodically. 60 minutes of "do this, don't do that". It eliminates the "I didn't know" and "how do I..." problems.
It is arrogant, ill-informed and misguided to demand that an end user know how to make your job easier.
Most of the questions I thought up. Questions may have multiple or no correct answers.
Questions probably should have been ordered by difficulty (from least to most difficult), but I never got around to it.
http://docs.google.com/View?id=dgc7vm46_1dn83dq4g
As a secondary technical education instructor in the Mississippi school system, I understand that all new technical-related hires are required to get this certification. Also, all currently-employed tech instructors will be required to get this certification. I went ahead and got it just to be "ahead of the game". The process, for me, consisted of an online class/workshop, online practice exams through Certiport, and a final 3-section exam. The exam covered basic computer hardware and OS knowledge, MS Office usage, and internet and networking principles. Was it the most comprehensive test? No. Was it a complete novice test? Also, no. Surprisingly, it covered a lot of ground - both hardware and software. I do not know what would be involved for employers to acquire this certification for their employees, but I can say from experience that anybody that receives it could be considered "computer literate". Here's a wikipedia link - http://en.wikipedia.org/wiki/IC3_(certification).
under that system you must pay overtime salary people as well and don't even thing about docking for bathroom time.
As far as buisness owners are concerned my best advice is not training employees but the use of of a secure operating system. Forget using Word application or any Micrososoft system deployment. The use of Linux operating system platform will greatly enhance any possible security threats.
I am a professor at a regional community college, and we have a course designed for exactly the skills you are asking about. We also have a division called Workforce and Community Education. This division's job is to provide credit or non-credit training to businesses and industry in our region. Almost every community college has a similar component. Ours would jump at the opportunity to provide a pre-employment test and/or training for a company like yours, and we (as any other equivalent school) already have the people and resources to do it. If you want to do it in house, you could probably just ask the computer science professor for a copy of their final in the equivalent course and modify it as needed, or hire them for a couple of days as a contractor to make it for you and have it fit your exact needs. I fully agree that such testing is vital. Before I took this job I worked at a local chemical plant with 3000 employees. Our helpdesk of 10 people spent almost half of their time providing support to the same 7 or 8 employees in the plant. HR would never do anything about it, but there was a huge hidden cost in supporting these people by keeping them on. Also, some regular training on stuff for your current employees will help too, and you'd be surprised at how little it might cost doing it the way I've outlined. Good luck.
Every employee will have deficits. Not only do you have to worry about the one who allows malware to be downloaded. What about an employee who sells valuable trade secrets to competitors or gets the company involved in a lawsuit. You may hire an incompetent employee who screws up things. It seems unlikely that you will be able to hire your entire staff to be competent in computer security.
Teaching employees computer security, beyond a very basic understanding, requires a large investment of time. Hiring computer savvy people means that they are likely to want more money for the added skills. It would be much easier and cheaper to have one competent IT person managing the computers and then let the other employees focus on what they are good at. I am assuming that your computer needs are small enough that you can't justify hiring a full time IT guy.
It isn't clear how your computers are set up or how many there are. Is there a network or just a bunch of computers? How do you handle backups?
Maybe there is a person in your company who knows enough to handle most of the simpler problems. He could handle things like installing programs, maintaining the antivirus software, doing backups and he would have the administrator password. The employee who gets an email attachment to install hot babes (malware) on his computer is likely to think twice if he has to call the IT guy to enter the administrator password. He could be pulled away from his regular job whenever some IT service was needed.
You could also hire a part time IT person. There are a lot of skillful people who are between jobs and would be happy to get a few hours of work a week.
This is a place where a non-certified or non-degreed person can really shine. There are lots of people who are really good with computers and would love to do something like that. Of course you have to be able to decide who is competent to do that job.
Here are some thoughts.
He should be trustworthy.
He needs to know how to install software, maintain antivirus software and handle backups.
He needs to keep a balance between productivity and security. Some guys get so carried away with security that it is difficult for others to get any work done.
Avoid arrogant people. You don’t want the BOFH running your computers.
Beware of the guy who knows everything – He is lying to you!
Make it clear that you are to have a copy of all administrator passwords – he may leave suddenly.
Try to find a person who wants to do this for a long time.
Possibly your existing consultant could help with evaluating him.
The problem with what you arelooking for is that you will now be increasing the level of skills that you are requiring of your employees. That means that you will be increasing the cost of hiring them and probably the wage that you need to pay them. Does the cost of fixing the problems when your current level of employees mess up exceed the cost of hiring employees who won't make those mistakes? I'll be perfectly honest, if the office manager cannot learn not to repeat the mistakes that lead to the virus infection, they are incompetent as an office manager in other ways as well.
The truth is that all men having power ought to be mistrusted. James Madison
Since I lost the battle to raise my kid with a Linux computer, I bought an anti-virus product (Norton Internet-something) with the XP machine we ended up getting and also installed AppGuard. The Norton product allows me to block certain types of web sites and also catches most malware that may be encountered by MSIE, Firefox, and Thunderbird (I won that skirmish). AppGuard guards against zero-day attacks for stuff that isn't in the anti-virus signatures yet and is an excellent final ring of defense. I also have Windows Defender installed and have Windows auto-update turned on.
I personally believe that employees should be professional enough not to go surfing porn sites and the stuff the web-blocking component blocks, but your parents have a right to run their business the way they choose. It is, however, unrealistic to expect non-IT employees to recognize every possible attack vector, particularly when even IT people with years of experience can be taken in, and it is crazy to run Windows computers in an office environment without an anti-virus.
Full disclosure: I work for the maker of AppGuard, but I work on different products. My recommendation is based on my personal experience with it.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
You've got to be joking. The ECDL is a grand tour of Microsoft Office. Most people fudge their way through Microsoft Access and forget it as quickly as they learn it. Net result: no clue about structuring data. Even the name of this "qualification" is patronising. If anyone mentions an ECDL on their CV then it goes in the bin. Anyone who takes the time or effort to get such a Mickey Mouse qualification almost unredeemable.
I worked on cars during college. I was required to buy and maintain my own tools. If I broke a tool working on a car, I was required to repair or replace the tool out of my own pocket.
I went thousands of dollars into debt before even receiving my first paycheck. This is a standard practice in many trades.
I've probably got over $20,000 in tools, that I still own, from that job - and that was a requirement to keep that job. No tools, no job.
-ted
At the interview inform the applicant that Google, as the provider of the Internet, has outlawed private surfing during work-hours, then ask if they understand.
If they say yes, show them the door.
Accommodate to the requirements of the new electronic age, or look for a more congenial and perhaps more lucrative occupation — raising earthworms, say, or keeping bees.
CC: and BCC: is technical jargon.
Email clients should simply ask you:
Who are your recipients?
Do you want to hide the names of some recipients in your message?
Or an understandable variation of that theme. Then the CC: and BCC: headers (which is what they are) in the message can be handled under the hood...
In most permanent employment contracts signed by professional people there will be a clause requesting that you work the hours that are deemd necessary to complete your tasks. If what you are saying had any grain of truth, everybody would be working 9 to 5 and being paid over time when appropriate, but we all know this is not true.
So if companies put these kind of demands on employees they can't seriously complain when the table is turned and employees do bits of personal stuff while they are at the office.
Even if you are a freelancer, you will be judged not by how many hours you worked but by how succesful were the projects you were responsible for.
Honestly, do you actuallly have hold gainful employment?
.... whose computer should be locked down
Lets see:
"people like to listen to streaming music while they work"
So? Get a radio, a music player. Why should the company provide bandwith for your music?
"Maybe IM is a useful form of communication."
Oh great. So you are conducting business using an unregulated, unencrypted, loggable means of communication.
"download an editor "
Great. You are prepared to risk the company's infrastructure by bringing unathorized software (no, you don't know what you are doing. All software should be tested in isolation before you can work with it).
"Yours is an office I wouldn't work in, and maybe there is something to say for self-selection of the people that would."
Ha,ha,ha. I would not hire you buddy. There is nothing worst than somebody cavalier with security and company's resources *and* an attitude to match...
Just purchase a copy of Malwarebytes (which is not very expensive, less than $25USD for a lifetime license - http://www.malwarebytes.com/), as well as up-to-date anti-virus (http://www.microsoft.com/security_essentials/ - Microsoft Security Essentials which is free and is very good) and not have to worry about user competency. Malwarebytes is phenomenal in protecting PCs from Malware. I have serviced many PCs with the Full Version of Malwarebytes installed (which has real-time protection) and nothing has slipped past so far.
No, I'm not being facetious, or at least not very much.
Every company I've worked for has an HR orientation of some sort for new hires. This not only includes an overview of benefits, etc., but also a lecture of some length on diversity, understanding, tolerance, and respect in the workplace. My current employer has a three-day seminar that is mandatory for every full-time employee.
Basically, we are treated like social retards who will start smacking women (or men) on the asses and demanding coffee delivered, if we aren't trained in basic manners over and over again; but it is assumed that every janitor and desk clerk is sufficiently skilled in computer operations (besides those needed directly for their job), and this will never need to be examined or refreshed.
Honestly, cut the HR training and how much grief or money have you incurred? Not a lot.
Now replace it with basic computer/internet security and use training, and how much grief or money have you saved? A hell of a lot, I would guess!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I worked for a community college and IME not one in ten educators (just as an example) actually possesses the job skills called for in their job description, which includes familiarity with Microsoft Office as a line item. If you're trying to find good people, and you're simply adding on more requirements, you're only shrinking your pool of applications and disqualifying people who could do the job.
There are basically two approaches which I can see which might work for you. One of them is to lock the systems down to the point where it is difficult to harm the machine. Consider switching away from Windows, which is often easier than you think. The other plan is to simply train your users. Train users in detection of malware and in best practices; you don't need to know all that much anyway.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I have to disagree. If they send me the whole session, I can look at the URL, the status bar, the taskbar, and the context of the error. It is quite helpful sometimes.
How much is your data worth? Back it up now.
Perhaps Cisco could be make a test (if they haven't already) that tests users for basic IT proficiency. This way if you pass you would be certified and hard documentation of your skills could make employers feel better about not having Tech staff for their small business.
It's the strategy used in my previous university, using Rembo (now part of IBM's Tivoli) as the imaging software.
It has lots of advantages (wiping machines clean), but also a big problem :
In case of outbreaks of a worm which can automatically propagate without any user interaction, the worm will be able to constantly infect freshly wiped machines, until the master image is upgraded with latest security updates.
We had a couple of such catastrophic outage at the uni, because the images where centrally managed (we were powerless to fix them) and it took a couple of days until the central reacted and issued newer fixed images.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Before they get on the payroll and thus the internet, offer them the oppourtunity to sign an agreement, stating that if they are responsible for compromising a system, that they can in their own time and at their own expense, OR they agree to paying for a security expert, to repair the system, on their behalf.
And add a security tax to their wage, 10% of their weekly wage up to the full cost of a full worst case repair, refundable all or in part upon their moving on.
I was able to ge promoted upwards to the career I have now based on the merits of my passion to learn -on the job or not- as well as well as my ability to apply new ideas quickly. Not everyone is as lucky whether they have the skills or not. which is why I believe a lot of budding IT professionals and/or programmers ccnp would get in the door a lot easier with a competency test. On the flipside, maybe less losers would get in the door too.You never know, it could happen. :)
Hire people smarter than you.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
doing that several times a week because yet another infected ad on CNN or whatever hosed their profile
Block CNN, Fox News, You Tube, etc, etc.
Hell, block all sites except those needed by the employee for the competent functioning of their assigned tasks.
For developers, that means allowing various technical sites, and for secretary and shipping clerks it's Expedia, UPS, etc.
"I don't know, therefore Aliens" Wafflebox1