Because of my experience, groups frequently ask me to be a guest speaker about security issues. In most cases, however, the majority of the audience is already painfully aware of the immense challenges presented by Internet and information security.
That means that many of my presentations amount to nothing more than "preaching to the choir" about current security issues. And while I enjoy participating, reminding people to click the Windows Update menu item in Internet Explorer each week isn't even a mildly interesting topic for most IT professionals, and neither is my suggestion to use free antivirus software.
I've said it before, and I'll say it again: The horrible state of Internet security is due to an epidemic of ignorance. But companies can't just sit back and accept this lack of knowledge. Let's look at some simple steps your organisation can take to dispel this ignorance.
Ignorance is not bliss
One of the most prevalent problems with security is that most users are completely unaware of the risks of insecurity. And this problem will not fix itself.
It's a simple fact that most people who use a computer have little understanding of — nor are they interested in learning — the details of how their computer works. In fact, I would argue that the only times most people become interested about the operation of their computer system is when it stops working.
Developing end-user education opportunities in the corporate environment — and encouraging employees to attend them — is one way for companies to diminish computer illiteracy. Providing incentives for attending classes and for keeping a computer updated and virus-free are additional options to consider.
Helping those who help themselves
Those of us who are computer-savvy enough to install and update antivirus software and click Windows Update each week aren't doing enough to help ourselves. Even if they're not in an official support position, I bet the majority of readers have found themselves helping co-workers, family, and friends fix something on their computer or helping them recover from a virus or worm.
The old saying about teaching a man to fish has never been more valid. Helping one person and telling him or her to pass along the knowledge you shared does more in the long run to improve Internet security overall.
Consider setting up an informal mentoring program to encourage more computer-savvy employees to share their knowledge with their coworkers. Setting up a bulletin board for posting tips and hosting a lunchtime training session about security are also low-maintenance ways your organisation can promote security awareness.
Focus on your users
We are all aware of the current security problems wreaking havoc. However, while IT pros often enjoy discussing the various security challenges, these conversations do nothing to educate the average user.
The average user uses Microsoft Windows, and Windows is where the battle against insecurity and ignorance needs to start. The sheer extent of the threat to the Internet from insecure computer systems using Windows justifies taking the time to educate as many people as possible about how to secure their systems.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
Talkback
I couldn't disagree more with the opening sentence here. While the end user IS responsible for a certain amount of knowledge required to implement proper security, the fact is that the root of the issue is systems that are insecure by design, i.e. Windows.
Between the tight coupling of the OS and many applications like IE, Outlook, and Office, and the idea that running as the super user is fine and dandy, Microsoft's Windows has done more to harm the internet than all other Operating systems combined.
In earlier versions of the MCSE course, they actually suggested it was safer to add certain users to the admin group rather than to either create separate accounts for them or give them the administrator password. I knew after reading that one sentence the MCSE program was a joke, and the people who wrote it clueless about real security.
If all systems were designed to be secure from the ground up, as are unix based systems and dedicated OSes like OS/400, MVS, and VMS, the burden on the user would be much reduced, and the number of compromised systems on the internet would be a small fraction of what it is today.