Why its time to stop calling users n00bs and 1d10ts

IT技术从业人员要提高法律意识,遵守职业道德操守,想通过软件悄悄收集用户数据的程序开发人员,小心被定性为非法获取计算机信息系统数据罪。
Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
This is a guest post by Sophos security expert James Burchell.James has appeared on Naked Security and Sophos News before, live in person in videos and podcasts. This is his first written article – we’re looking forward to his next!
October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cyber­security in the workplace is everyone’s business.
Naked Security asked me what I’d do to make cybersecurity into a company-wide deal, rather than just relying on programmers and IT gurus to keep us all safe.
After all, even if we were able to write bug-free code and deploy it perfectly, cybersecurity would still be a massive problem, because one of the biggest risks to any organisation is a biological one – humans!
If you’re a techie or on the IT staff inside your company, you’ll know what I mean: you love users, yet you hate them; you call them n00bs; you deal with 1d10t errors on a daily basis.
国农科技筹划事项构成重大资产重组 继续停牌
Nevertheless, you also have to acknowledge that they’re inside every network, amongst some of your organisation’s most closesly guarded secrets.
So, here’s how I see the problem.
Sophos Home
Free home computer security software for all the family
Learn More
In today’s world, every organisation can be considered a high-tech business.
Modern technology enables your business to reach more customers, and allows your humans to be more productive, though sometimes in a less controlled way than you might like.
The same technology, unfortunately, allows the Bad Guys to reach your business in a myriad of different ways, too.
Believe it or not, most of the actions performed by your humans are not done with malicious intent.
Alice didn’t mean to lose her laptop, Bob didn’t realise that he was sending that email to the wrong person and Charlie genuinely thought he received a parcel delivery notification from his courier.
Yet, after nearly 30 years of trying and billions of pounds in investment, we are still struggling with cybersecurity because we often fail to recognise that the issue is more than just a technical problem.
The human firewall
So rather than looking at your humans and wondering about what PEBKAC [] issues you’ll have to deal with next, instead look at them as having the potential to be individual human firewalls.
Weaponise them with enough knowledge to recognise a potential attack on their human emotions, and instil trust in them that they won’t be cast to the lions if they accidentally click on a link suggested by a hoodie-wearing hacker who’s sitting on the other side of the world.
Do that, and you will have one of the best detection and remediation systems that money can buy.
Create awareness
Create awareness around the office.
Get buy-in from a senior member of the organisation and consider having a dedicated area on the intranet where people can ask questions or as a place where you can post useful hints and tips, such as where to find great free security tools for personal use. (Sophos Home would be a good suggestion!)
Once you’ve created awareness, the natural progression is to measure who within your organisation is susceptible to phishing attacks – this is something that a phishing simulation toolkit can help you to identify.
If staff fail your phishing tests, don’t call them out or embarrass them – give them personal counselling to help them improve, to reduce the chance they’ll fall for phishing tricks again, and to get them on your side so they are ready to report potential security problems in the future rather than to sweep them under the carpet and hope no one notices.
Don’t ignore a particular department or person just because they are too busy or seem too important – those are great reasons for a cybercriminal to target them specifically, so make sure they’re included in your awareness activities.
Don’t be grumpy and mean
You’ll also win friends and influence people if you take care to show that not everyone in IT is there to be grumpy and mean.
Why not find a way to reward people for identifying potential security issues, all the way from keeping an eye out for tailgaters trying to slip into the building, to reporting dodgy emails with suspicious links and attachments?
Consider something as simple as having a jar of sweets or chocolate in the IT area so that people want to come and talk about security.
Or enter everyone who contacts you with a concern or reports a potential security issue into a monthly raffle for a prize such as a gift voucher.

Build a security team of everyone
Just think of the malware scare when Charlie clicked on that phishing email, and the position you found yourself in running around to figure out what happened.
Is it better for Charlie to hide what he’s done, fearing reprisal or ridicule from the IT team, or for him to approach you quickly and warn you about what just happened?
The latter would certainly put you in a better position to respond…
…so putting humans into your threat and risk assessments and creating a culture of security will put you and your business in a great position to face whatever comes next.
At the end of the day, every employee should be a part of the security team.
数据显示国内企业网络安全意识不足,主要原因是国内信息化程度不如发达国家高,黑客总体的技术水平也相对低下,当然大众的网络安全意识就更有差距了。

猜您喜欢

北京印刷学院2017年录取政策微调 新增信息安全专业
信息安全意识教育的课题与方法
LMS学习管理系统管理员快速操作指南
40号 赵祥博学英语
CROSS-RAID FRANZCELLS
如何防范假冒WiFi热点