Security: Let's Start with Education in 2013

By | January 03, 2013

Posted in: Network Security Trends

Welcome to the new year. Welcome to 2013! What comes with the new year? Why New Year's resolutions, of course. You might be looking to eat better, exercise more, or smoke less. Many CIOs will be making New Year's resolutions to improve system security. And while more complex passwords, intrusion detection systems, new firewalls, operating system patches, anti-virus updates, and more may come to mind, they aren't the most critical. Don't get me wrong. They are important and necessary. They should be done. But I challenge my fellow CIOs to truly enhance security by better educating our users.

Educating users isn't as neat and tidy as the installation of new hardware or updating of software. It involves users and, for that reason, CIOs place it last on the ToDo list (if it's on the list at all). Education, done properly, can be THE most important tool in your security arsenal. Education is the key to all the hardware, all the software and all the policies and procedures you have to provide information security. I would argue that security begins and ends with education. So while some look at 2013 at the "Year of the Snake," I say it's the "Year of Security Education."

Why do we need to educate? I could be flip and say, "Because some people still believe the emails that say Mr. Adir Marajo of the Federal Republic of Nigeria needs their help with transferring a large sum of money." Sadly that is a reason, but the larger and more encompassing reasons are that scammers have access to much more personal information, they've gotten much more sophisticated in their approach. People need better education to recognize scams and avoid them. And while it might be an over generalization, it appears to me that the younger crowd needs some motivation - to understand that their actions and inactions have consequences.

Today's smartphone and tablets have amazing capabilities. Seemingly every day a new piece of software or hardware comes out to further extend those abilities. You can access your corporate systems, share and synchronize files across every device you own. You can take credit card payments, scan a barcode and take a photo and automatically upload it to dozens of different social networks. And those social networks are adding geometrically to the amount of data available for analysis. Some savvy businesses are already combing social networks for competitive information. Remember the recent news story about the Target store that knew a girl was pregnant before her parents did? All based on big data analysis of her buying habits. Are your employees checking in on Foursquare, Facebook or Twitter, revealing with whom they are meeting or negotiating? Are their Rolodexes with sensitive client and prospect contacts being shared with LinkedIn and other systems outside your control?

Spear phishing has reached new levels of sophistication. Attackers have a whole host of new personal information sources that they can use to trick users into revealing security credentials and then use them to access confidential data.

The consumerization of IT has a firm grip everywhere. For some people, the distinction between personal and business is growing fuzzier. BYOD and COPE exist in some shape or form in virtually every company. BYOD personal devices are now supported, but oftentimes with only minimal security. I've always contended that BYOD will pave the way for BYOS (Bring Your Own Software) and not always in a positive way. Many pieces of enterprise software leave much to be desired in terms of user interface, functionality and overall user experience. So what happens when you put users, with their shiny new mobile devices, who want to make life easier for themselves, together with apps stores that house hundreds of thousands of applications that help you do almost anything? More than ever before, the onus of proper security is on the user. And bad things happen if you don't have an educated user.

In an era of users who don't bother to read terms of service agreements and easy-to-use applications like Dropbox can make you lose control over corporate information quicker than any of us would like to admit, users must be educated. They need to know the big and the small picture. Educate them on the basics: the company policies on data usage and access; on social media usage and on any regulatory/legal and other guidelines that relate to your industry. Equip them with the knowledge to avoid the tricks and traps. Provide them the motivation to compute securely. They need to understand that what they do and don't do has repercussions. Let's make 2013 the most secure year yet.

About the Author: Jeffrey Brandt is the Editor of the PinHawk Legal Technology Digest, a columnist for Legal IT Professionals, a member of the Law Technology News Editorial Board, and is a frequent educational speaker at regional and national user, trade shows and industry conferences. Mr. Brandt has been the Chief Information and Knowledge Officer for several top 100 US law firms. He has more than twenty-eight years of experience in the field of legal automation, working with geographically distributed organizations across the globe. He now consults to law firms and professionals on projects as diverse as: green technology, knowledge management, information security, communities of practice, green technologies and processes, IT executive mentoring, electronic workflow management/reengineering, mobile technologies and IT structure/personnel requirements. He has also served on numerous technology advisory boards and in numerous capacities in the International Legal Technology Association (ILTA), the most recent being on the Board of Directors. Email him at Follow him on Twitter: @jeffrey_brandt . Connect with him on LinkedIn:

Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.

You May Also Be Interested In: