Security / Privacy Advice?

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

Mandatory?

[DoofusOfDeath]

I'm going to have the mandatory attention of every employee

No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.

Re:Mandatory?

[CannonballHead]

I have found that food helps everyone like you more; perhaps he should provide lunch. Or at least cookies.

Re:Mandatory?

[PylonHead]

This is correct.

Present just the information you've been tasked to convey.

Present it in at least 2 different ways.

Take questions.

Summarize once more and let them out early.

Honestly, the more you try to cram in there the less they're going to take away.

Re:Mandatory?

[0100010001010011]

Boobs. No really. Find a ton of pictures of chicks that they posted and regretted.

Put under it: "Do you want this to be your personal data." On the next slide: "Once it's on the internet. It'll never be off the internet."

Maybe separate presentations based on gender/sexual orientation.

1) Everyone will be captivated.
2) It'll make the point rather clear.

Re:Mandatory?

[commodore64_love]

>>>every seconds of unnecessary content will make them despise you more.

I love mandatory meetings.

It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!

Re:Mandatory?

[BadAnalogyGuy]

Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.

So when you say:
Take questions.

You are wrong.

Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.

Re:Mandatory?

[dave562]

I like the idea of asking questions. In the context of the speech the speaker might ask, "When was the last time you were in danger of having your personal information compromised?" He can then go on to offer a couple of examples that illustrate his point of how wide spread the problem is.

Re:Mandatory?

[Mikkeles]

I really hate doing nothing at work; I'd rather do my job.

Re:Mandatory?

[wisty]

Another good question: Who has ever sent and email that they wouldn't want a third party reading?

Re:Mandatory?

[rtb61]

The idea for a company security presentation is the opposite of that
4) Loss!.
On a company presentation keep it very straightforward and simply. Advise them of the security problem, highlight the problems it causes and detail to consequences for the employee for failing to adhere to security protocols. Put it in writing, get each employ to pick it up and sign to confirm they acknowledge it's contents and are aware of the consequences, 4) Loss! - it will cost the company money and likely cost the employee their job.

That is the very first thing you establish prior to giving a security briefing, what are the consequences for any employee that fails to adhere to the requirements of each of the different elements of that security briefing, loss of access, demotion, written warning or, instant dismissal. The employees will only listen if htey have a vested interest in listening.

Can't hear you

[sakdoctor]

Too busy leaking private info on my crackberry.

krsmav

[krsmav]

When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.

mandatory attention

[nethenson]

"I'm going to have the mandatory attention of every employee and ..."

Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.

Using social networks in the job?

[Saija]

on the security and privacy concerns relating to social networking

I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?
Note to myself: don't use /. at work

Re:Using social networks in the job?

[piojo]

Maybe they treat their employees like adults and allow them to take breaks at times. Installing an internet filter is almost demeaning. It's kind of like drug testing, in fact. Companies that pull this shit don't believe in evaluating employees based on performance--instead, they really, really want you to follow the rules.

IT people get security wrong

[Kohath]

Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.

I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.

IT needs to be responsive to user needs for security to work right in an organization.

Re:IT people get security wrong

[element-o.p.]

Wrong.

It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.

Re:IT people get security wrong

[rantingkitten]

Tell them not to download and install anything "fun" for Windows.

Alright, the zealot in me just has to step up.

The overwhelming majority of rank-and-file office workers don't even need Windows. Really. They don't.

They need email, web browsing, spreadsheets -- usually nothing particularly demanding -- IM, and not much else. In this day and age of online CRMs and such, most office workers could get away with little more than a browser.

Why are these people even using Windows?

Sure, there are always the accountants who have that Excel macro they wrote eight years ago that absolutely will not translate into Open Office. Fine. And you have those three guys who use specialised CAD software. Great. Those people can use Windows.

But the vast majority of the sales crew, administrative staff, and damn near everyone else, does not need Windows. Why are we pouring such huge amounts of money into this crap?

"But kitten! We have an application written thirty seven billion years ago that only works on IE!"
Great. You can either spend a bit now to rewrite it so it works on any platform, or you can continue to throw thousands of dollars and thousands of manhours, year after year, at the effort of keeping this thing propped up. When are you going to throw in the towel?

"But kitten! The retraining! My team only knows Windows!
No. Your team does not "know" Windows, any more than they "know" engines because they drive a car. They know, by pure memorization, that for email they should click this, for the shared network drive (which they probably call "the office drive") they click that, and for Word they click here. They know how to use a couple of applications but that is not OS-specific. The reality is, if you installed Ubuntu on every one of your sales team's computers, and told them "It's, like, the new Windows Longhorn!", they'd grouse about it for a day and get over it. Your "team" does not "know Winedows". You didn't train them in "Windows", you trained them to know your specific business applications, most of which are online and are therefore OS agnostic.

So you can either throw more and more money and manhours at keeping your staff on Windows because they "know" Windows, but curiously need to be told over and over how not to break Windows by downloading things, and lose hours of time because they effed-up Windows once again and had to wait for IT to re-image the machine...
...or you can have them stop using Windows because they don't need it.

sigh.


I know, yes, I know, there are always those few sitations where Windows is necessary. And some smartass always has to pipe up with "Well, in MY company we haev this GUY who has a Windows only APPLICATIOn and we couldn't SURVIVE..."

Spare me.

The truth is we -- as an IT professional collective -- throw so, so, so much money and time at keeping the Windows lusers safe. Trying to "educate" them, fruitlessly. Tracking licenses. Buying more upgrades. Making sure to roll out new "virus definitions". Admonishing users time and time and time and time again: "Stop downloading that. Don't install that. Quit forwarding that email. Don't click that for god's sake."

When is it time to stop treating the symptoms? Attack and remove the cause, which is Windows. If Windows is not exactly the cause, per se, it is certainly the enabler.

Please note: Using Linux (or any other OS) will not stop idiots from chattering about private company information in public. But that is a managerial problem, not a technical problem.

Note that using Linux will not stop your idiot employees from naming names on Facebook and Myspace and Diggwoot and Farkmeme. But that is a managerial problem, not a technical problem.

Using Linux WILL prevent your employees from contracting viruses that email random -- often confidential -- documents to random

Re:IT people get security wrong

There is one thing Windows has over Linux, and that is the ability for someone to point and click on an OU level, update and push out a GPO. This doesn't sound like much, but companies like being able to manage every single PC out there.

Another thing: Say I use a non certified (no FIPS/Common Criteria) OS in a publically traded corporation, and something happens, or some auditor just decides to start going through logs. Guess what. Because the OS isn't certified, I'm not following due diligence. This opens the company up to shareholder lawsuits, and officers up to prison time.

There are two certified commercial Linux distributions that can be used as desktop replacements: SuSE, and RedHat. Both have all the colored stickered that give the critical CYA needed in a medium to large company.

Cutting off social networking?

[syousef]

My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.

Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.

If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.

Re:Cutting off social networking?

[that+this+is+not+und]

Don't blame Henry. He was part of the deal, but he was just doing what that fascist Taylor said to do. Taylorism needs to be obliterated.

Supplemental materials

[beefnog]

If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.

Get Security/Legal/HR buy in

[omkhar]

Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.

Re:STOP CLICKING RANDOM LINKS

[MichaelSmith]

Don't use your internal password for anything external, like your hotmail account.

If you need to share your data with co-workers don't give them your password so they can log in and do it.

If in doubt, don't.

Re:Acknowledging the /. audience

[heretic108]

Closing the basement shades will do wonders on the privacy front.

Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.

Re:While you're at it..

[tomhudson]

Better yet, put a teaspoon of methylene blue in a 1- or 2-litre bottle of coke or pepsi.

Let suspect drink it.

Let them get all alarmed the next day because they're peeing green or purple.

Just a couple of drops in a glass does the job.

Stick to the subject

Focus on your assignment. The Security department can use the other material for newsletters.

Don't Give Advice

[mpapet]

If it's not *specific* company policy, then don't say a word.

1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.

I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.

Don't forget "porn name" meme...

[schon]

Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.

You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..

Think about the "lost password" questions most websites use... what do they ask?

Presentation Tip

[Lord+Byron+II]

Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.

Re:Back it up with a little detail helps.

[s.d.]

You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?

Everyone is being told, "This discussion of social networking and how to protect yourself and the company is mandatory." Don't waste their time with things that they won't understand and are totally off-topic.

Be Skeptical.

[Vellmont]

There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.

Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.

Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".

Re:Make it funny

[regularstranger]

It takes some real personality, practice, and experience to be funny for a large audience. In front of a large group, I can't make it happen (at least when I'm trying, it's when I'm not trying when I can get a laugh), and many others can't either. It's great if the presenter can pull it off, but if they can't, it will make the presentation very uncomfortable for everyone involved. I think planned jokes are risky for the uninitiated.

Terrible idea

[petes_PoV]

Don't freelance - stick to the topic assigned to you.

People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."

Re:Secure Your Presentation PC/software

[L4t3r4lu5]

Create an embarassing or humorous photo out of several employees on Facebook, ones which you will see in the meeting. Leave enough so they know where the image came from, but make the composit odd enough (even use your own face for extra brownie points) to leave a lasting memory for everyone without identifying people easily. The people who see their own photos will either laugh or be uncomfortable, but the point is made.