I’m always surprised (for some reason) when I wander into a new corporate environment. Walking from the front door to the conference room of the day I invariably pass workstations with Facebook, MySpace or something equally inane gracing the screen. To say nothing of folks who install P2P apps on their corporate systems.
Where’d their brains go? It’s not like they don’t get the riot act read to them when they start a new job. For that matter most environments provide regular “security awareness” training. Still it continues.
CIO has an interesting article on the enduring disregard that white collar folks have for privacy.
The telephone survey of 1000 “white-collar†employees conducted by the London-based IT security association found 65 percent of respondents are not very concerned or not at all worried about their privacy on work computers, while 63 percent were not worried about the security of information stored on their computers.
Peer-to-peer file-sharing programs were regularly used at work by 7 percent of respondents, and at least once by 15 percent. Up to 35 percent of respondents admitted violating corporate IT policy, however the survey did not reveal the details of the breaches.
How can we as security folks bridge the gap to help educate folks in a meaningful manner?
I’m going to take this box of chocolate bars and go for a walk.
🙂
Google “facebook fairy”. Print and plaster.
@CJ
Yeah that one made the rounds at my old office. A big ole bag of stoopid.
Have a great weekend!
You too! And here’s to hoping no propane bombs in my backyard.
Compliance, my son, compliance. There’s a bit more to it than policies and annual security awareness/training events. MBWA (Management By Walking About) for one. Accountability and ownership for two more. But genuine security awareness among management is the best starting point.
BTW That Facebook fairy story will haunt the protagonist for the rest of his career. Google is a fab tool for assessing a candidate’s CV.
G.
PS The kid at the top of this page is me. I admit it.
@Gary
I agree wholeheartedly with respects to the MBWA. Far too many managers lock themselves away in their respective corner and then the mice dance on the desktops. Compliance seems to get more lip service than I would like to see in the majority of environments.
But, here is the rub. How do you get the security awareness to take with senior management. Not asking for me but, to illicit a response.
🙂
@Gary
…and yeah, that kid is totally screwed.
As they say, there is no patch for stupidity.
On the other hand, as Ira Winkler or Marcus Ranum would say, education does not work either, because it only takes one imbecile to click on an attachment to bring down the whole house of cards.
@Rob
I used to have that saying hanging on the wall of my office. Too true.
Now, that being said, with regards to Winkler and Ranum I completely disagree. As security folks we are there to support the business. If we adopt the approach of Winkler/Ranum we’d all be riding on the turrets of Sherman tanks with a crazed gleam in our eye as the .50 cal blazes away mowing down fields of users. I’d offer that to dismiss education is a tragic failing on the part of folks who should know better. It is exactly because of those weak links that we need to encourage security awareness and education.
What I was trying to drag out of folks in a round about way is “what works?”.
cheers.
re: the approach of Winkler/Ranum,
Right Dave, that’s just not the Canadian way. By the way, nice pic with the ammo.:)
No amount of education protects against the vengeful or compromised staffer either. What is required is a technology that protects users “from themselves”.
I can suggest one. Any come to mind for you?
If you’re looking for what works, I have to agree that you can’t educate users on the right way to do things securely. What you can do, however, is train them to ask questions.
Until someone comes up with the fool-proof training plan, my goal in training is to get the user to simply ask the questions, “Should I do that?”, “Does this look right?”, or “Does this make sense?”. Don’t go all Bill Lumberg on them – they don’t care if it’s good for the company. They do care about how they’re perceived though, and no-one wants to be likened to a lampooned character.
I’m dead serious about the Facebook example. Very little, save smell, makes as much of an impression on someone’s memory as a good laugh. A little Chaser’s War trojan video clip here, some timely Failblog photos there, and you can usually make a positive impression on users. “Wanna get away?”
While I’ve not had an audience sizable enough to provide any meaningful measures, anecdotally I believe that it works much more than traditional “training”. At the very least, it helped to humanize the security role in the company and opened the lines of communication for users.