We want to hear from you (and you might just get a free book out of it)

Filed Under: Featured

Pointing finger, courtesy ShutterstockWe need your help - we're looking for article ideas.

Calling IT managers... You're busy. Everyone expects everything to be working smoothly. All. The. Time. And when it doesn't, you're expected to fix things faster than a cougar chasing a herd of college boys. Roar.

Bet you'd like some useful articles to make your life a bit easier?

What articles would you like to see written? Maybe you want to know about how to create a good security roadmap, or see an example security policy you could use in your business.

Maybe you'd like a checklist to help you ensure your third-party providers have got all the security basics covered.

Or just something to help make your life a little bit easier.

Let us know. In return we've got three copies of Bruce Schneier's latest book, Liars & Outliers, as reviewed by Sophos' very own Paul Baccas, and we'll send a copy to the three best suggestions.

Share your ideas here

Pointing finger, courtesy of Shutterstock

, , , , ,

You might like

33 Responses to We want to hear from you (and you might just get a free book out of it)

  1. Adam · 1325 days ago

    All we usually get from security blogs are "fail stories". While they are very inspiring (always better to learn on somebody's else mistakes), they are not sufficient to persuade decision makers (and budget keepers) to spend more money/time/people on improving the security procedures, policies and infrastructure.

    I'd love to hear some success stories from the world of security. Attacks that were stopped before they could harm anyone. Data, that did not leave the server although the attacked was already there. Hackers who landed in a honeypot instead of credit card processing center. I could really use some inspiration and real life examples on how implementing a better security saved x times more money than it consumed.

  2. I would love to see articles covering employee training and information security awareness. It's a huge challenge, educating employees without going over their heads, but still trying to provide useful, actionable information.

  3. eric gardner · 1324 days ago

    god we got to do something on zlob/vundo

  4. E. B. · 1324 days ago

    > Let us know.

    How do you want us to let you know? Post a suggestion in the comment block??

  5. Thanks for a fantastic blog.

    Being a Security Firm you are more likely to be abreast of current best practice and security trends. I would love to see different little series from Small to Large Enterprises - Defining a Security Framework, Reviewing negatives and positives in deployments and arrangements and inviting vendors up to (minus the marketing junk) discuss their viewpoint on hardware/software/trends/warstories.

    Thanks again for the blog. Enjoy the read.

  6. Robert Nickelson · 1324 days ago

    Dear Sophos,
    I feel it would be helpful if someone was to write an article that addresses suggestions on "How to give the Bad News" to staff/co-workers that their IT problems might be their own fault without making the person or persons feel like you are saying they are stupid. Preventing the situation where a person becomes defensive and resentful Is often as hard of a job as fixing the IT problem. Another related issue is how to teach important IT concepts without talking down to non- IT or computer savey staff members. Protecting passwords from the all seeings eyes. Safe guarding IT equipment from theft while on or off the job site. IT and the TSA - helpful tips and practices that make air travel security smooth and free of security issues and stags that cause frustration and delays. What is the best contigency plan for when IT connections and things go terrible wrong for presenters during and IT conference or a staff meeting or anything in between. My final suggestion for a helpful article is the best practises and ways for accessing the files and data needed remotely while away from the office.

  7. Does having a IT policy that requires you lock your laptop at the office actually help with keeping data confidential?

    Does being secure actually mean being boring, or at least being unwilling to try new things...maybe (just maybe) you might really be inheriting 25million from a Nigerian prince? Are the people who fall for pranks and schemes, just open to more ideas and experiences?

  8. Kingsley Meyer · 1322 days ago

    NS is one of my top IT Security reads and the first I recommend to others because of its readability. Mobile device, social networks, cloux app and storage come to mind as great concerns adding to your traditional mix.

  9. Gerrit · 1322 days ago

    Maybe you could write some articles about how you analyse malware and which tools you use. The German blog heise/security has published articles about this and these are really interesting.

    Something about grey hat hacking maybe in connection with metasploit could also be favored.

    Articles concentrated on the needs of firms could be about trust/certificates/certification in companies.

    Thanks for your great blog!

  10. Major Tom · 1322 days ago

    As someone interested in training and education I'd like to agree with @CaneDrew - I'd be very interested in different approaches to just how you get this across to users.

    In my experience the usual didactic PowerPoint lectures simply don't work in this area. What are the approaches that make a real difference? E-Learning? Manual Gaming? Electronic Gaming? Practical hacking sessions? (with all the ethical problems associated with this), BOGSATs?

    An article looking different approaches - with practical suggestings as to what might be more effective with different numbers of students and those at different levels, from Management (with the funds), Middle Level supervisors and the average Office Worker, would be very helpful.

  11. Massimo · 1322 days ago

    Possible useful article 1:
    "Advantage and pitfalls of setting your own open source corporate CA"
    Possible useful article 2:
    "Best COTS defence against polymorphic malware vectors"
    Finally, possible article 3:
    "What happened to biological models of malware defence?"

  12. LarryR · 1322 days ago

    Security Professionals are pulled in many directions. We often have little money and little staff to "keep us safe".

    I'd like to see a comparison of possible open source solutions to many of the threats we face today. Is it possible to get to a decent level of security without having to beg, borrow (hopefully not steal) for funding?

  13. Sharp · 1322 days ago

    I would like to see some articles about, HITECH laws. I ask local compliance firms and they tell me they are not set, but I have read two cases of companies being sued over HITECH compliance.

  14. Richard · 1322 days ago

    There are so many patches needed and Automatic Updates doesn't handle them all. Can you help write about instituting a 'patch culture'? Is the walled-enterprise behind the firewall good enough? How do you prioritize what is absolutely critical to patch?

  15. Tim · 1322 days ago

    It is 16 years since I retired as Head of IT Security for Shell in the UK & NL. If I wasn't a realist I would today be thoroughly depressed at seeing the same old security problems still plaguing us all today - the technology may have changed but the problems are the same. Twenty years or so ago my office led the writing of the British Standard BS7799 Information Security Management. It is now an ISO standard presently noted as ISO/IEC 27002. There is a bit about this on Wikipedia at http://en.wikipedia.org/wiki/BS_7799. (Please note that it was not written by the DTI - it was developed by a UK industry group based on the internal standards developed by Shell in the UK.)

    I have no doubt that this well developed standard would be a very good place to start in order to develop the necessary policies and practices in your companies. The one bit of advice I would give is that it is essential to start at board level - they have to understand why they need to drive security practice throughout the company. Without that top level commitment no one else will take notice. With it you can move mountains.

    The philosophy of your company needs to say that the company will only undertake a project - whether it be an internal service or an online public service - if it can be done securely. Too often the driver is profit first and never mind security till it all goes wrong. You only have to read these bulletins to see how many companies, really prominent companies, have it the wrong way round.

  16. Sam · 1322 days ago

    Perhaps the awareness training angle could be dealt with by an IT version of Prof Brian Cox making a decent TV series - a combination of fear and enlightenment, knowledge and good practice. Volunteers please?

  17. rbatoon · 1322 days ago

    Best articles are the "How To..." with examples

  18. Elrond · 1322 days ago

    Handling expectations and balancing that with security. i.e. what do I tell people how say things like, "I trust Google," when you know they have access to confidential staff/student data.

    Also, what are the legal implications should a teacher and principles upload photos of students to Facebook or other sites where they become the property of the site. Educational institutions are expected to have a release for photos they post.

  19. Guest · 1321 days ago

    Explain why VirusTotal is both good and bad. Explain how malicious actors seem to stay ahead of AV vendors. Explain how Sophos has actually worked with Law enforcement or Banks to help them. Explain malware analysis concepts.

  20. encryptography · 1321 days ago

    I can forward an email to hundreds of individuals who utilize personal computers at home for work related tasks about the importance of updating their systems anti-virus programs but such emails are deleted as they are nothing short of dull.

    However, I have forwarded the link to your article about the Sophos's Klingon Anti-Virus "program" to which I have received a dozen equally humorous responses which might suggest humor works for otherwise boring topics. Brilliant, do it more often. Perhaps the Romulans can now discuss password management concerns.

  21. Jon · 1321 days ago

    What I would like to have is basically a "think before you click" article written for the lay person so i can refer some of the people who insist on clicking everything and anything that they get in their inbox and facebook status updates etc. That is "this is what happens when you click on that kind of stuff, - this is how the cyber criminals make their money etc :)

  22. John · 1321 days ago

    How to safely use Facebook and not get hacked (great for staff)

    Explain mobile/cellular hacking a lot of bank accounts etc

    Using public computers safely when traveling

  23. How about more on securing your mobile devices especially for the small enterprise client?

  24. Nickstar · 1321 days ago

    I would love to hear more about smart phone vulnerabilities/security.

  25. jimjam · 1321 days ago

    I would like to see an article written for the users, a dumbed down guide on the importance of keeping systems up to date, and the importance of keeping their machines virus free and securing data.
    You could even possibly show what a fake virus popup looks like, as the amount of times ive had users come round to me and say, "is it ok to click this" is unbelievable.
    Then you could even do the same for senior management, the pen pushers, the ones that expect everything to be secure, be cheap and work 100% of the time when half of the time it is their own stupidity that causes issues.
    And then if you get time could you draft up a standard email reply, "im sorry, your request is important to us and we are dealing with it as quickly as possible."
    From a frustrated IT Manager, half of my users dont even know how to change their own password, the other half struggle to understand that if you swtich the wireless off you wont be able to go on the internet!

  26. Colin · 1321 days ago

    I realise its just a fantasy but the question was what would you like to read about on Naked Security
    And what I would like to read is that Spam, Scams and Viruses have all finally been completely wiped out

  27. Ad. · 1321 days ago

    Thanks for asking the question!

    The biggest everyday hurdles I run into as an IT manager are old-fashioned organizations who believe that office workers need only know how to type with 2 fingers, and that IT risks/hazards/emergencies only apply to large for-profit corporations.

    It's easy for people like this to dismiss the onsite IT workers as being cranky/limiting/paranoid. An outside voice (in approachable plain language) is often respected & acted upon. Some backup on best practices would be very helpful.

    I'd really like to see some articles on recommended baseline IT & security awareness levels/training for non-IT office workers. Some articles showing impacts to small businesses and nonprofits would also be very helpful.

  28. Josh Marshall · 1321 days ago

    Less of Graham Cluley. The bias and lack of depth of any side AND the lack of technical details makes for lousy reporting. I swear, it takes only a year to achieve the level of knowledge put forth by his stories, which, for technical users tends to be counter productive.

    I need to know what each entity in a story is trying to accomplish, why, and how.

    Whether it be security issues, to new hardware I want to know pros, cons, and how whatever is happening is happening for each side.

    I don't read just to know that something has happened, I read because I want to know the details about something. So I know to avoid a piece of software, wait for the next technology to come out if its worth it, or to start looking for a patch for one of my systems.

  29. David White · 1320 days ago

    I am new to IT coming up on 1 year out of school and working for a rural farm services company. I enjoy reading what has been classified as 'fail' posts. What I would love to read more about are the common holes companies have in their network security and authentication systems. I would like to read about the things I can do to help security in my own company. I would also love some how to's on security getting vendor or OS specific. A personal request I haven't seen a good how to on is converting from a large workgroup enviroment where security is a nightmare to an active directory enviroment with decent security. I realize that this would be too much for a singe post but it might make an exellent series. I enjoy reading this blog and hope it keeps getting better.

  30. Mario · 1320 days ago

    If possible, analyze programming languages and rate their security aspect and let us know by groups which one are the best and worst to use, which one has the most flaws (PGP vs Javascript vs CGI, Java vs C++, Ruby vs. Perl vs. Python, etc...). Coders are a big factor in there, I understand, or grab some statistical analysis on malware hitting on which programming language if such thing exists.

    A bit like we do when we say that most malware is written for Microsoft OS, and a little bit for Mac / Linux, could we do the same per programming languages?

    We could apply this to the SQL based DBs as well (ORACLE, Postgres, SYBASE, ...)

  31. Eileen Coles · 1318 days ago

    Malware and other forms of cyber attack are becoming increasingly political. Stuxnet and Duqu are the primary examples. Articles would be welcome on how multinational IT security companies manage to remain ethical, professional and responsible to the greater whole; to occasionally include cooperation with competitors in the face of attacks that clearly have some form of governmental or political agenda behind them. There is a need to stress impartial responsibility and professionalism in the face of such threats.

  32. Gerry · 1316 days ago

    For those with large IT departments, they should have the resources to implement secure environments with the exception of other employee awareness for security. However for small business people who have a hadful of employees yet are reliant on IT and data transmission, even simple things can pose big problems.

    How about articles that simply explain practical security applications for example what are genuine security risks on Android phones and what apps help make a phone more secure? What sort of risks are there leaving passwords in the security areas of browsers, how proficient are firewalls and the zones they attribute to programs? What are the practical sites that offer good technical advice and that you feel are tustworthy?

    Of course there is room for the larger viewpoints but I find the blogs from Sophos and the odd small downloads that remove specific risks or viruses, useful in saving time in implementing better security and keeping me up to date in risks I face - your blogs save wading through interminable opinions on how to make Facebook or Googel secure, for example. Expand this.

  33. Andy3940 · 865 days ago

    I'm involved in project with a large medical center coordinating purchasing plans and future RFPs to include information and network security. I'm amazed at the number of vendors who consider "we're on the safe side of your firewall, we don't need a/v, operating system updates . . ." We have a good relationship with Purchasing. Some of the issues we've seen are service contracts that creep into needing network connections. How about a guide for purchasing staff.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Follow Naked Security on Twitter at @NakedSecurity, on Facebook or join us on Google Plus.