I sent the following email out to our entire company today and afterwards thought it would be interesting to post if for no other reason than to compare notes with others who grapple with these same issues (i.e. everyone). If you have a company of any size at all I would highly recommend sending out semi annual reminders like this one. It helps alot to remind people of the dangers and sets the tone for new employees who have joined since the last reminder. Above all you will note that the message is maturity and responsibility.
The subject of the email was the same as this post (Virus Prevention Advice and Policy) and below is the text:
It is that time again and we are starting to see warnings about worms and viruses passed along by friends and family so I wanted to take this opportunity to remind everyone of how we keep our own network safe and free of these destructive monsters.
Some rules of the road for using company email and company computers:
1. If you did not expect it then don't click on anything in it. This general rule will help you deal correctly with most emails and web pages. If you go to a site expecting to download something be sure that you are on the correct site (many common typos of URLs host malicous copies of the popular site). If your brother sends you a message called, "Kids latest pictures" and it was not something you expected, do not click on links or attachments until you have verified that it was indeed sent by him. Our last major virus here at the company was the result of just such a message being clicked on by an employee who did in fact get pictures from her brother quite often, but this time it was a virus that was sent by her brother's computer instead. It took us 2 days to clean up the mess. A better policy is to only open personal email attachments at home while you are not connected to our network.
2. Be paranoid, but try not to be crazy. If you get an email from yourself that is some form of spam then welcome to the club. We can't stop the spammer in Asia from using your email address to send the world spam and if you use the address long enough it will certainly happen that you and others you know will get spam that looks like you sent it. It will pass, but we can't fix it. See rule #1 as this fact should also make you more cautious of anything you get that you didn't expect even if you converse with the user often.
3. A great many viruses and malware are picked up by browsing the web. Visiting site like Youtube.com and MySpace.com is often a bad idea unless you know exactly what you are doing, why and accept the consequences if the result is 2 days of lost time to the company.
4. There is a reason you can't install things on your computer. We limit what the average user can install on their computer so that if a mistake is made, it is less likely to have a lasting effect on our network. In most cases, if it isn't already installed on your computer you don't need it. There are exceptions, but be sure you have a cogent argument for why you need Software X on your work PC. We also use specific version of MS Office products as a hedge against system outages. We do pay attention to the newest versions and will upgrade when the time is right, but no sooner. If there are business reasons why you need a specific version of something please let me know and we can make a business decision.
5. Keep up the good work. We have an amazing track record here for having staff that do the right thing. Most companies get hit by a virus once a quarter or more and we are typcially only seeing an event every other year. This is in spite of the fact that we do not block sites or regularly check browsing logs to police what people are doing. My only caution on this point is that while we all enjoy this open environment it is dependent on our continued vigilence.
If you have any questions please feel free to contact me or anyone else on the technical staff and we will be happy to help you navigate the mean streets of the Internet.