If our end-user education policies succeeded, we would have defeated hackers and malware by now. And if recent trends are any gauge, end-user awareness is worse than ever. Social engineering Trojans, which trick end-users into running malicious programs, are the biggest threat by far. Most end-users readily give up all privacy to any application or social media portal, and they do it without any thought of the repercussions, which includes greatly increasing their likelihood of becoming a target and succumbing to social engineering.
I strongly fault the people behind most end-user education programs. In their hands, end-user education becomes a forced, unwanted childhood chore. Education is undertaken haphazardly, using spotty curriculum that usually doesn't contain information relevant to the latest attacks. Let me ask you a question: If the No. 1 way end-users get tricked into running Trojans is through fake antivirus prompts, does your company tell your employees what their real antivirus program looks like? If not, why?
That type of disconnect puts IT systems in jeopardy. On average, it takes two years for the latest threats to show up in end-user education programs and only a minute for the bad guys to switch themes, putting us behind another two years.
You know what works better than end-user education? More secure software and better default prompts. Don't expect end-users to make the right decision; instead, decide for them. Macro viruses didn't go away until the default option was not to run the macro. File attachment viruses didn't minimize until most of them were blocked and it became harder to run them in the first place. Autorun USB worms didn't go away until Microsoft forced out a patch that disabled autorunning from USB keys as a default.
End-user education has never completely worked because it only takes one person, making one mistake, to infect your whole company. But you can reduce risk by producing better, more targeted end-user education.