Computer Weekly readers have their say
Security awareness must be a team game
The interesting Strategy Clinic "How can we spread the security message?" (Computer Weekly, 27 September) raises a puzzling question: Why is security awareness usually the IT director's responsibility?
Why is it the IT director's job to prevent careless employees from leaving PDAs in taxis or laptops in their cars? Why is it the CIO's fault when an ignorant employee opens an executable e-mail attachment, releasing a rampant virus?
The equivalent is blaming the telecoms manager when an employee is tricked into giving away a security code or password in a phone call or reprimanding the post room when someone posts a confidential document to the papers.
Installing a general duty of care in employees - covering everything from passwords to shutting the door behind them when they leave at night - is a shared responsibility of all senior management, led by one person at board level. This director (call him what you will) works with facilities management on physical security; human relations on security awareness training; the legal department on compliance; IT on technical security; and creates awareness of employees' duty of care through line managers.
Until this holistic approach to security becomes more commonplace, maybe we should examine new approaches to security awareness: there is no reason why it cannot be fun.
Imagine: ABC employee, John Smith, opens an executable attachment in an e-mail purporting to be from one of his friends. A message appears on screen and over the PC speakers saying:
"John Smith, come on down, you have just caught a computer virus. I hope you and everyone else at ABC were not working on anything important. Sit back while I send the good news to everyone in your address book."
After enough time for the rest of the department to find out, the screen clears, to say, "Just kidding John. But please do not open files ending .exe in future, you could ruin the company.
Lots of love,
Your IT director"
Jenny Fuller, Firecast Media Events
Who are we to judge if a hacker can reform?
I was interested to read Mark Hanvey's opinion piece, "No jobs for the bad boys" (Computer Weekly, 4 October).
I agree that there is a potential for problems if we employ a successful hacker to enforce IT security. Similarly, there is the potential for fraud if we employ a successful "Del Boy" to be a company director, or for questionable behaviour if we employ a call girl to be a film star.
Why should a hacker be any less likely to reform, when he becomes a salaried employee? Hanvey's scruples are unlikely to cut much ice in the real world of business: a professional is someone who gets paid for doing what they are good at.
How schools are putting young talent off IT
With regard to recent articles about the gender gap in the uptake of IT courses in schools and colleges, I would like to argue that uptake has nothing to do with gender, more how the courses themselves are perceived.
I am the director of ICT in a successful 11-18 grammar school in Lincolnshire. All our students take a GCSE short course in ICT (last year 96% gained a B or better and girls outperform boys consistently) and two A-levels, computing and ICT.
Regularly we are forced to cancel one of the A-level courses due to lack of numbers. There are a couple of reasons for this.
First, universities do not require students to study ICT or computing at A-level in order to take a degree course. Generally, only mathematics is required.
Students who have studied computing/ICT at A-level find themselves at a distinct advantage as degree courses spend up to one year of the course covering the A-level syllabus. Perhaps students with A-levels in computing/ICT should be allowed to "fast track" into the second year of a degree course?
Second, both ICT and computing are seen as less academic by the school, from governors to students, contrary to Iain Maclain's view (Letters, 4 October).
Until ICT and computing A-levels are recognised in higher education as a "proper subject", more talented and gifted pupils (boys or girls) will always steer away from ICT as a career.
Rob Cunniffe, director of ICT, Bourne Grammar School
Staff still ignorant of basic security measures
The research examining password security (Computer Weekly, 4 October) made for alarming reading. Of special concern were the figures pertaining to documents used by workers to record their passwords and access details.
Whether these documents are PC-, PDA- or paper-based, they represent a security risk because people within many offices still do not realise the security value of documents within the office.
Our own research has found that 35% of workers leave confidential documents on their desk at the end of each day, and 19% admit documentation has gone missing from their desk.
Improving awareness of basic electronic document handling and implementing procedures such as clear desk policies are inexpensive ways to combat this problem, especially compared to the expensive consequences a breach could lead to.
Mike Wenham, Macro 4
Arcane art of recycling eletronic newspapers
I note that, on page 30 of the 4 October issue of Computer Weekly you advise readers to "please recycle it" once they have finished with the magazine. Most commendable.
However, I receive the electronic edition, so I am rather perplexed as to how I should go about this recycling. Should I print it out and then place the paper in my council-supplied recycling bin, or should I could screen dump each page and e-mail them back to you so you can convert them into next week's edition?
David Viner, Norwich