Blocking Google Docs

Oxford is getting some bad press because they decided to block Google Docs for 2 hours.  Although this is a bit extreme, I do understand why they did it.  I am viewing their actions from the perspective of an IT working who has had to support clients similar clients.  What is the best way to support clients that promote malicious behavior on the internet, then expect you to defend them from it?

Oxford blocked Google Docs because the IT department noticed an increase in phishing scams that used Google Docs to steal credentials.  Google Docs was designed to make it easier to share documents and collect information.  Phishers are taking advantage of Google's reputation and the fact that people are getting used to filling out forms on Google Docs.  In Oxford's case, phishers are pretending to be Oxford's IT department and stealing their credentials to the email system so that they can send out spam.

A lot of people are caught up on the specifics instead of understanding the larger education problem.  They point out other ways to prevent the spam problem.  People are saying Oxford should use rate-limiting to prevent themselves from being a spam relay.  I think those people don't understand the bigger picture.  Right now, phishers are stealing email passwords to send spam.  They are doing that because they are successful at it.  Because they are successful at it, tomorrow they may steal more valuable credentials.

The bigger problem is a sufficiently large enough portion of the Oxford user base doesn't know how to identify a phishing attack.  They don't realize that Google Docs poses an inherit danger.  On top of that, the number of people affected by the firewall partly shows why the phishing problem exists to begin with.  How is Oxford IT supposed to defend against this threat?  The only effective defense is to educate the user base to the concept of phishing attacks.  IT departments are largely ignored by their user base, though.

As bad as it sounds, firewalling off Google Docs forced their entire user base to acknowledge the issue.  The user base is not happy, but the point got across.  The only real way to measure success is by results.  Sometimes, tough love is the only approach that works.