Yesterday Andrew Yeomans of Dresdner put a risk management challenge to me and fellow blogger Stuart King. The issue arose from a discussion about Get Safe Online, the educational site aimed at citizens and SMEs. Andrew favours the idea of such training but feels that the information given is too detailed and contains too much jargon. He asks “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”
It’s an interesting and an important problem, but it’s the wrong question. You need context to assess risks and priorities properly. One size doesn’t fit all. There’s a huge difference in user practices, the value of their data and the security of their environment. And it’s further complicated by the increasing number of alternative security solutions and the growing range of platforms of varying vintage out in the field. So let’s rephrase the challenge to “How can we simplify the security advice to PC users?” Now that’s easier to answer.
Start by asking questions to establish the context for the advice. This will help prioritise and filter down the recommended controls. Then it becomes easy. For example, if you do your banking online, then up-to-date advice on phishing would be a high priority. And if you let your family share your business laptop then you’ll probably need “the works”. But if you just use a PC for email to family and friends, then switching on your firewall and installing a good AV package is probably all you need. Building intelligence into systems is always a smarter move than dumbing them down