Get Safe Online is a British Government sponsored Internet safety guide. It’s all good common sense advice and well worth a visit. I wonder how many people do because, as I noted a few days ago “out of 15 million online banking customers it is claimed that less than half “regularly update their anti-virus software, with only 1 in 10 people having anti-spam software installed and about a third having a firewall.” That’s bad news, and espcially bad when we have individuals with such a flippant regard for computer security working on our networks.
Many organisations these days invest a good deal of time, money and resource on employee security awareness. A nice industry has grown up around teaching otherwise intelligent individuals the importance of common sense. For example, I’ve just read some guidance that says “Please change your password regularly. ” PLEASE?! Maybe if they throw in a free gift they might make the new passwords strong too. As the old saying goes about leading horses to water, you can provide all the best guidance in the world but you can’t ensure that anyone is going to read it or take notice of what it says.
Another policy I read says “you should not install any software with first obtaining permission.” Not on my network thanks – I want a policy that says “you MUST not” and I want locked down desktops that prevent such a thing happening anyway. But, here’s an important point, I also want to tell people why and put some context around the instruction and we also need some flexibility for those instances when somebody really does need to install something.
I’m not ashamed to admit that my first attempts at working on a security awareness campaign failed because I severely underestimated the importance of providing good advice and knowledge to people over and above just providing a set of instructions – I also underestimated the time and cost and the depth of the resources that would be required. I’ve since learnt that security awareness campaigns need to be focused on specific themes that are continually reinforced over a set period of time. Campaigns also need the buy-in of many other individuals within the business because you’re going to need to get the messages communicated and translated into different media: HR, Corporate Comms, Legal, Intranet etc and the list goes on.
Anyway, here’s a couple of decent places to look for more guidance on the subject:
– The Security Company: Organisers of the Security Awareness Special Interest Group