This week's guest blog comes from my colleague Rob Forsyth. Rob is managing director of Sophos in Asia Pacific, and currently Deputy Chairman of the IIA (Australian Internet Industry Association). Over to you Rob...
I believe that a major driver of confidence in all aspects of life, is having a level of awareness in the outcome of specific behaviour.
When crossing the road, we need to have a belief that cars will approach us from the left or right, that green lights mean go and red ones, stop. This assurance shapes our behaviour and in the absence of this - namely a lack of confidence - we are apprehensive (or even fearful) or on the other hand, potentially reckless, as the risks are unclear.
This confidence can be shaped differently depending of other aspects. We drink tap water with confidence in Australia but may not in another country. We may go for a walk in the evening near our home, but may choose not to, in another city. The internet, crossing borders as it does, provides us with little guidance of what we should expect (as legitimate) and how we should behave.
As a goal, our level of confidence should be as predictable in the online world, as the physical world. Currently as we enter - and it is only just beginning - this age of change, few rules exist and limited standards are common. In this regard as one example only, the range of local legislation related to spam, has created a number of gaps that are being exploited. Just as the internet is truly global, both behaviour and legislation can no longer be local.
There is little consistency in the manner in which organisations both government and private, deal with issues such as privacy, customer communication and security, in the online world. What is required is a definition of best practice for both 1) websites and 2) email, and 'brand' this in a manner which:
- Is global
- Provides 'expectation consistency' to the public
- Promotes best practice and safety on line
- Is supported by law enforcement
Given the way in which cybercriminals behave, we should expect them in time to steal this 'brand' to aid their criminal activity - unfortunately this will not be avoidable. This criminal use of the 'brand' should mean little, as the framework should have clearly defined what safe practice should be followed.
So if the 'brand' policy stated that emails will never request user names and passwords (and it will), an email requesting user names and passwords with the fraudulent use of the 'brand', will still be seen to be fraudulent.
