Security / Privacy Advice?

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

Mandatory?

[DoofusOfDeath]

I'm going to have the mandatory attention of every employee

No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.

Re:Mandatory?

[CannonballHead]

I have found that food helps everyone like you more; perhaps he should provide lunch. Or at least cookies.

Re:Mandatory?

[PylonHead]

This is correct.

Present just the information you've been tasked to convey.

Present it in at least 2 different ways.

Take questions.

Summarize once more and let them out early.

Honestly, the more you try to cram in there the less they're going to take away.

Re:Mandatory?

[commodore64_love]

>>>every seconds of unnecessary content will make them despise you more.

I love mandatory meetings.

It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!

Re:Mandatory?

[BadAnalogyGuy]

Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.

So when you say:
Take questions.

You are wrong.

Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.

krsmav

[krsmav]

When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.

Using social networks in the job?

[Saija]

on the security and privacy concerns relating to social networking

I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?
Note to myself: don't use /. at work

IT people get security wrong

[Kohath]

Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.

I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.

IT needs to be responsive to user needs for security to work right in an organization.

Re:IT people get security wrong

[element-o.p.]

Wrong.

It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.

Re:IT people get security wrong

[rantingkitten]

Tell them not to download and install anything "fun" for Windows.

Alright, the zealot in me just has to step up.

The overwhelming majority of rank-and-file office workers don't even need Windows. Really. They don't.

They need email, web browsing, spreadsheets -- usually nothing particularly demanding -- IM, and not much else. In this day and age of online CRMs and such, most office workers could get away with little more than a browser.

Why are these people even using Windows?

Sure, there are always the accountants who have that Excel macro they wrote eight years ago that absolutely will not translate into Open Office. Fine. And you have those three guys who use specialised CAD software. Great. Those people can use Windows.

But the vast majority of the sales crew, administrative staff, and damn near everyone else, does not need Windows. Why are we pouring such huge amounts of money into this crap?

"But kitten! We have an application written thirty seven billion years ago that only works on IE!"
Great. You can either spend a bit now to rewrite it so it works on any platform, or you can continue to throw thousands of dollars and thousands of manhours, year after year, at the effort of keeping this thing propped up. When are you going to throw in the towel?

"But kitten! The retraining! My team only knows Windows!
No. Your team does not "know" Windows, any more than they "know" engines because they drive a car. They know, by pure memorization, that for email they should click this, for the shared network drive (which they probably call "the office drive") they click that, and for Word they click here. They know how to use a couple of applications but that is not OS-specific. The reality is, if you installed Ubuntu on every one of your sales team's computers, and told them "It's, like, the new Windows Longhorn!", they'd grouse about it for a day and get over it. Your "team" does not "know Winedows". You didn't train them in "Windows", you trained them to know your specific business applications, most of which are online and are therefore OS agnostic.

So you can either throw more and more money and manhours at keeping your staff on Windows because they "know" Windows, but curiously need to be told over and over how not to break Windows by downloading things, and lose hours of time because they effed-up Windows once again and had to wait for IT to re-image the machine...
...or you can have them stop using Windows because they don't need it.

sigh.


I know, yes, I know, there are always those few sitations where Windows is necessary. And some smartass always has to pipe up with "Well, in MY company we haev this GUY who has a Windows only APPLICATIOn and we couldn't SURVIVE..."

Spare me.

The truth is we -- as an IT professional collective -- throw so, so, so much money and time at keeping the Windows lusers safe. Trying to "educate" them, fruitlessly. Tracking licenses. Buying more upgrades. Making sure to roll out new "virus definitions". Admonishing users time and time and time and time again: "Stop downloading that. Don't install that. Quit forwarding that email. Don't click that for god's sake."

When is it time to stop treating the symptoms? Attack and remove the cause, which is Windows. If Windows is not exactly the cause, per se, it is certainly the enabler.

Please note: Using Linux (or any other OS) will not stop idiots from chattering about private company information in public. But that is a managerial problem, not a technical problem.

Note that using Linux will not stop your idiot employees from naming names on Facebook and Myspace and Diggwoot and Farkmeme. But that is a managerial problem, not a technical problem.

Using Linux WILL prevent your employees from contracting viruses that email random -- often confidential -- documents to random

Cutting off social networking?

[syousef]

My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.

Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.

If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.

Re:Cutting off social networking?

[that+this+is+not+und]

Don't blame Henry. He was part of the deal, but he was just doing what that fascist Taylor said to do. Taylorism needs to be obliterated.

Get Security/Legal/HR buy in

[omkhar]

Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.

Don't Give Advice

[mpapet]

If it's not *specific* company policy, then don't say a word.

1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.

I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.

Re:Back it up with a little detail helps.

[s.d.]

You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?

Everyone is being told, "This discussion of social networking and how to protect yourself and the company is mandatory." Don't waste their time with things that they won't understand and are totally off-topic.

Terrible idea

[petes_PoV]

Don't freelance - stick to the topic assigned to you.

People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."