As many IT gurus know, security is not just about technology. It's also about teaching the user about safe computing. No matter how many security policies you have in place, if the users don't know right from wrong, a company can find itself in vat of nastiness.
Unfortunately, many IT teams suffer the reputation of being the office cops. The problem here is that if a user does screw up, they sometimes shy away from reporting it to IT. Maybe they do this because they are afraid of getting in trouble.
To deal with this problem, we are trying to find a way to help the heroes in the IT department get the respect they deserve. One way of doing this is to dismantle the myth that they are there to punish or forbid. We also know that user education sounds very nice in theory, but can be a slog in reality.
So, we have been thinking up a way to help IT educate users in a friendly way, and we came up with the idea of launching the Sophos security manifesto.
This would include ten top tips, written simply and clearly to explain to users not only the right way to do things, but why it is important to do so. The idea is that these tips would be part of a kit that includes a presentation, some posters for your walls, and other goodies.
Sophos Security Manifesto
Cyber attacks can happen to anyone. Our job is to make it as difficult as possible for someone to attack you and your company. With your help, we can become much less attractive targets.
Follow these rules to help you and us prevent any nasties from getting in:
1. Don't be tricked into giving away confidential information
Don't respond to emails or phone calls requesting company confidential information – including employee information, financial results or company secrets. There is nothing easier for someone who wants unauthorised information than to call us up and pretend to be an employee or a legitimate user of this information. Keep on guard about these types of tricks to avoid falling for a scam, and report any suspicious activity to IT.
2. Avoid using an unprotected computer - is the computer you are using secure?
If you access sensitive information from a non-secure computer, like one in an internet café or a shared machine at home, your might put the information you are viewing at risk. Ensure your company is running the latest approved security patches, anti-virus and firewall. Also be sure to work in user mode, rather than administrator mode, where possible.
3. Don't leave sensitive info lying around the office
Don't leave print-outs containing private information on your desk. Lock it in a drawer or shred it. It is very easy for a visitor to glance down at your desk and see sensitive documents. Keeping your desk tidy and documents locked away not only makes the office look more organised, but reduces the chance of an information leak.
4. Lock your computer and mobile phone when not in use
Always lock your computer and mobile phone when they are not in use. You work on important things, and we want to make sure they stay safe and secure. Locking your phone and computer ensures that your data and contacts stay safe from prying eyes.
5. Stay alert and report suspicious activity
Always report any suspicious activity to your IT team. Part of their job is to stop an attack from infiltrating the company. In the horrible situation that something does go wrong, the faster IT know about it, the faster they can deal with it and close down the leak.
6. Password-protect and encrypt sensitive files and devices
Always password protect and encrypt sensitive files on your computer, USB, smart phone, etc. Losing items like phones, USB keys and laptops can happen to anyone. While we all want to look after our belongings, things sometimes get stolen or misplaced. Protecting the data on the system with encryption and passwords means you make it incredibly difficult for anyone to break in and steal data.
7. Always use difficult-to-guess passwords
Many people use obvious passwords, such as "password", "cat", or obvious character sequences on the Qwerty keyboard, like "asdfg" and "12345". It is much wiser to use difficult-to-guess passwords. Include different letter cases, numbers, and even punctuation. Try to use different passwords for different sites and computers, which means that if one gets hacked, your other accounts are not compromised.
8. Be cautious of suspicious emails and dodgy links
Don't let curiosity get the better of you. Suspicious emails and links should be deleted. Even opening or viewing these emails and links can compromise your computer and invite in an unwanted problem without you even noticing it happening.
9. Don't plug in personal devices without the nod from IT
Don't plug in personal devices like USBs, MP3 players and smart phones without permission. These devices can be compromised with code waiting to launch as soon as they are plugged into a computer. Talk to IT about your devices and let them make the call to keep you and your computer safe.
10. Avoid installing unauthorised programs on your work computer
Don't install unauthorised programs on your work computer without permission. Malicious applications often pose as legitimate programs, like a game, a tool and even anti-virus! They aim to fool the person into infecting their computer or network. If you like an application and think it will be useful, contact IT to look into it for you.
Let us know what you think
We would love to know what you think of the concept and the tips that we have come up with. Is this useful? Have we missed any that are more important? Is anything too obvious or not clear enough? Leave us a comment below and let us know
And thanks - we appreciate your help!
I like it! Thank you. I'm tired of feeling like "the bad guy" or sounding like mother. I look forward to seeing this manifesto develop into posters that I could use for my employer's Security Awareness program.
I wish I could like it, but I can't...
You see I work for a "creative" company, and as far as creatives are concerned security is another name for the devil. It stems their creative juices.
For the sake of DLP and Malware prevention we attempted stop them plugging in their personal storage devices / MP3 players / phones etc. That was until they needed to listen to their music and swap files with their colleagues!
URL filtering. No no no. They need to look at all of those banned sites. Apparently those sites are the ones with all the creative ideas.
Don't install applications! Wow. You try telling developers that. I mean, how else are they going to try 15 different file transfer clients in a day, and see which one circumvents the security systems.
Part II of II...
Revoke their admin rights. Not when they "need to run application X which requires admin rights".
In their eyes Microsoft is evil, and Apple are god. Strangely enough, a god that has no removable media encryption, no DLP and device control. Isn't it strange how they choose their god!
I could go on and on, but the truth of the matter is that if you want to reach the wider audience one has to start at the top, and that means the senior management.
I personally would like to see messages that senior management can relate to. Then perhaps we can start to implement a Security Awareness Program with the rest of the staff, which can strike a happy balance for all. (If they let me) ;)
Also, stay away from social networking sites, especially thier apps
So IMO this is difficult one. Many people use, and love, social networking sites. To tell them to stay away from them is like telling an elderly relative never to watch Columbo or Lewis again. They will nod sagely only to switch channels as you walk out the door. I worry that the don't-tell-IT-because-they-will-say-no attitude is more rife than any of us would like to admit.
Would it not be better approach to tell them that yes, they can visit these sites, but they would be wise to check their configuration options and advise them on what is responsible social networking and what is inadvisable? That way, they might report issues and help you better safeguard your network.
Or tell them when they download a virus and cannot get to their work, they have to fix it themselves and will be banned from the network until their system is clean?
/sarcasm
Everything is on it's place - easy to understand, and without IT mumbo-jumbo that usually accompanies our manifests, regardless whether it is security or any other measure users has to take to "please" IT crowd
Sounds good to me.... Whether people will read it is another matter all together!
Very good, perhaps a bit verbose.
John's comment is an extremely accurate one, particularly when they will be the leaders on any dperature from the Manifesto. Bosses don't seem to grasp that they are the primary target in any hacking/phishing attempt. (Didn't Graham Cluley say something similar a few months ago?)
In a well regulated enterprise, all these points and more should form part of the Security Policy, Email Policy and Internet Use Policy and be part of the Emplyees Handbook. Line supervisors should be trained in policing those policies.
Problem with many company Policy documents is that they are often (usually?) impenetrable. Frequently they overlap. For example, you mention "Email policy" and "Internet Use Policy". The last time I sent an email not using TCP/IP was in the late 1980s - Fidonet - so why have separate documents?
And sometimes company Computer Policy documents include information, advice, or even strict regulations which are counterproductive or just plain wrong - big, HR-lawyered-up documents are hard to change, so they frequently accumulate "security advice" which was approximately-received wisdom a few years ago, but which is now outdated enough to give nothing but a false sense of security.
Password-change policies are a case in point. Many companies have arcane and extensive rules about changing your passwords, but can no longer explain how, or even if, these increase security - indeed, change can be the enemy of security.
Carole's 10 points are IMO very readable and I'm ready to back them - they _could_ be edited down even more, but that would make them a little less explanatory and exhortatory. (I've always wanted to use that word. And there it is.)
They're wayyyyyy shorter than the Policy documents people learn to ignore, or simply cannot comprehend, and they are written to be inclusive, not prescriptive.
I like them because they don't just reach out to employees, but also to the very IT staff whose in-accordance-with-policy prescriptiveness is sometimes part of the problem.
They have an "onwards and upwards!" flavour which appeals to me, and I think we can pitch them to all levels: the CxOs who insist that there are Rules And Policies, then want to break them when they get their personal iPads; the IT staff who have the unenviable task of pleasing all the people some of the time; and the rest of us.
My 2c.
I would add searching in Google or another search engine; something to do with SEO posioning - that is what seems to affect our organization the most. The inability to discern safe sites simply by looking at the URL. I hesitate to say what I use but there are toolbars out there that rate searches; it may not be foolproof but its definitely a start.
Good point. I will think about getting this in the top ten. Thanks!
A well presented list. I would like to see an 11th item that says something like, "Oftentimes we have to use technology to protect ourselves and you. That might mean denying you access to a website, application, or device due to the risk it presents to our business and information. We don't do this to be dickheads...we do it to preserve the safety and security of our business. If you need something, let's talk!"
Item 10 has a typo: "The aim to fool the person"...should be "THEY aim to fool...".
Thanks Paul - I've updated the typo on behalf of Carole.
This is a great idea. I think I will add this point to the opening para when we get the campaign off the ground. Thanks for head up on the typo too - should be fixed now.
On Thursday a (let's call him) middle manager's smartphone (which he uses - or better used - to access his corporate account "disappeared" from his office. He did not tell us before Monday. When asked if he had changed his password he replied, "no - do you think it's necessary?"
I think this is a great idea actually. It's simple, short and not laden with all sorts of technical jargon. I'd love to see something like this. The posers would be up in my office in a heartbeat and I'm sure management will let me add at least another one or two in other areas around the office,.
Yay. That is great news. Thanks for the feedback.
Thank you very much. It is a good and useful idea.
Giampiero
Not bad. But really, apart from using simple language, how is this any different from any other list of rules? You've fallen in to the trap most IT people do in thinking that by providing more info (allbeit in simple language) users will understand you better.
What security pros really need to do is understand what motivates users and leveage that.
This guy gets it... http://www.8thlayersecurity.com/8th-layer-blog/se...
Believe it or not Casper, some companies don't have this list of rules (which should be a standard regardless of the type of industry)
Reading some of the responses disagreeing with these rules shows how seriously some IT depts. take security. Office cops? Leverage? Our IT dept. laid it out simply, "We will do our part to give you knowledge both work based and non-work based (as a gesture for internal customer service) to help you do your jobs. All we ask from you as the users is that you abide the rules set forth by the company." IT departments aren't put in companies to be light. They are tasked with protecting the technical assets of a company. IAny broken rule has a consequence. Yeah it might not seem fair but would you rather the alternative?
Is it possible to update this and copy into a current post (October 2011), related to Cyber Security Awareness Month? I refer to Sophos often as a credible source in security awareness tips for my users.
Other sources:
Get Prepared by Gov of Canada
October is Cyber Security Awareness Month http://www.getprepared.gc.ca/prod/tp/tp201010-eng...
Public Safety Canada
Cyber security matters to everyone, everyday http://www.publicsafety.gc.ca/prg/ns/cbr/index-en...
SANS.org
October 2011 Cyber Security Awareness Month (umm... too technical for average users) http://isc.sans.edu/diary.html?storyid=11623
Thanks!
Maybe this is a bit too obvious, but we have had it happen. ---"Do NOT bring in compact discs from outside the office and insert them into CD drives on your office computer even just to copy them. "
A young worker in our office had small children for whom she provided learning tools--educational grammar & mathematical games primarily, which she purchased either on line at a learning site or in a local bookstore. A commendable thing to do, but I suspect she surreptitiously brought them in to make duplicates so both children could use the games on their own computers. When her workstation crashed completely, her hard drive had to be replaced. There were almost a dozen viruses. She categorically denied that she brought any unauthorized discs into the workplace. My then employer suggested to her that, because she was so nice and sweet, the viruses chose her, jumped down from the sky, landed on her machine and decided to make a home on her computer to the exclusion of everyone else's. It never happened again.