Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Communicate Security Alerts?

Posted by Soulskill on from the your-computer-is-broadcasting-an-ip-address dept.

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

2 of 84 comments (clear)

  1. Run around in panic... by sinij · · Score: 5, Funny

    Ruining around the office in panic screaming that we are all going to die worked well for me so far.

    Also, what kind of security events are we talking about here?

  2. huh? by Charliemopps · · Score: 5, Insightful

    Is this even a question? If the IE bug isn't important to you, and you don't want people switching browsers, then why the hell would you communicate the bug to anyone? You should only be sending out notifications if your users need to take action or you're trying to communicate an outage. If you're email consists of "There's this problem you don't need to do anything about..." then you're wasting their time and they will quickly learn to ignore your notifications.

    Users do not care about security issues or bugs. They want you to tell them if they need to do something. Otherwise leave them alone. If you have a few users that are worry warts and want to know about that thing they heard on the radio this morning, start a wiki page and just post it there. They can come and look at it if they have questions. But I'd avoid that. Documenting the reasons for your lack of action on a security issue is not a good idea. You may very well have good reasons, but uneducated poorly informed managers can make your life miserable if the bug ends up costing the company money.