Ask Slashdot: How To Communicate Security Alerts?

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

Re:Don't tell them.

[Tuidjy]

They ask. They hear something from their friends and colleagues, and retain a garbled version ranging from "OMG, everything Microsoft needs to be erased!" to "Go to this website and it will fix your IE". If you are lucky, they call you before they try to do something astoundingly stupid.

I'm the IT director for a aftermarket auto-manufacturer, and we keep our Internet facing network and our production/POS/ERP networks physically separate. Each of our Internet facing PCs has IE, and a crippled version of Chrome (same idea as Iron) installed.

A few nights ago, I ran a script that stored everyone's IE bookmarks in a backup, and overwrote them with a list of less than a twenty bookmarks, including the company's website, the banking sites for scanning checks, the website that stores our scanned invoices... you get the idea.

I sent an email instructing them to use IE only for the sites for which there is a bookmark, and use the crippled Chrome for everything else. Last night I restored the bookmarks, and while I was at it, checked a few histories here and there. People seem to have complied with the instructions. I saw only one clear violation, and it was work related, to a website that I may have added to the bookmarks, if I had thought of it.

Today, according to my assistant, there have been three calls from people who did not get their bookmarks back, and a few from people who did not know about bookmarks before, and now want the 'official list' back.

All in all, I'm glad how it went.