Slashdot Mirror
Security / Privacy Advice?
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.
You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.
that and tell them to be paranoid "if it seems dodgy, it probably is!"
A Tale of 2 idle hands
Too busy leaking private info on my crackberry.
When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.
Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.
I'm not really a web designer, I just play one on the Internet.
"I'm going to have the mandatory attention of every employee and ..."
Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.
HermesPod: Free Podcast Download Manager for Windows
"If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"
Monstar L
on the security and privacy concerns relating to social networking
I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites? /. at work
Note to myself: don't use
Slashdot ya no es que lo era!
Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.
I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.
IT needs to be responsive to user needs for security to work right in an organization.
explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!
Farkin' lunch thieves...
Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:
Unexplained Affluence - they have more money than you would expect from their job/life.
Undue Interest - they show up in your department asking questions but have no work-related purpose.
Affiliation - they express low affiliation with the company, or high affiliation with other interests.
Work Issues - they are not happy with their work or feel that they have not been treated fairly.
Questionable Contacts - they associate with or are in contact with persons of competing firms or interests.
Note that depending on your specific industry and company, security discussion of this level may require more than a few minutes.
My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.
Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.
If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.
These posts express my own personal views, not those of my employer
or at least mind-numbing forgetfulness.
Use of the Internet should generally be remembered to be nonsecure and suspect.
Lots of people will forget, because they are tired, pushed, harangued, or pissed off at their boss or coworkers.
Trying to instill constant vigilant attitudes will be REAL tough.
Maybe Browser pop-ups reminding employees of the latest intrusion or hazard of the day is not so bad as a reminder. (Please no bricks) If I was to design a popup, it would be a one liner with a link for more info. and the popup would disappear after 5 seconds on its own.
Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)
Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.
Really get their attention with some specifics like that.
The previous comments are only true, if no-one says they're wrong.
Like the animal kingdom, if it looks interesting and has lots of bright colors, it is probably deadly. Stay away.
Don't post anything online that you wouldn't want your grandmother, pastor and organized criminals to see. Or, don't post anything that shows anything you wouldn't want your pre-teen daughter to be doing.
Terms of service change on a whim. There is no such thing as online privacy. The internet never forgets. Don't trust the delete key. Don't say in e-mail what you wouldn't be willing to say to someone's face -- in public.
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
Learning HOW to think is more important than learning WHAT to think.
And where that trails off and the gray area begins, go back to that same rules and regulations compendium and glean appropriate behavior and confidentiality employee agreements to remind people what is acceptable and what is not.
It's a rare situation that has employees actively working and conducting business in various locations and stages of production where they are exempt from the rules and regulations that govern safety, access and distribution of proprietary information, asset security and liability. When in doubt, employees are encouraged to seek out their immediate supervisor or manager and share case-by case situations that fall outside of established guidelines.
While this puts more burdin on the rules to list what is appropriate and what isn't, the "employee handbook" can become a living document that grows as procedures change and situations require ammended courses of action.
I'd also suggest incorporating a a policy revision or review process, where the common employee can affect change through communication to an individual or department that can highlight a policy or procedure that is incomplete or inaccurate.
In the end, the Company is seen as less infallible and more adaptive, the management that executive or owners rely on to get things done are better empowered to merge effort with Company expectations.
If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.
Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.
#fuckbeta #iamslashdot #dicemustdie
Nothing says Commitment to Quality like deciding that 40 minutes is the right length of time for an important lesson, then assigning someone else to creating the lesson content.
As others have noted, people are already going to be surly about a mandatory meeting. For those people who actually use social networks, they're going to be surly about whatever restrictions your company has decided on. You can buy a bit of forgiveness by letting them out early. It might seem like you're passing on a golden opportunity, but trying to cram in additional content is doomed. They start surly. You'll be 30 minutes in and they'll be zoning out. It's a hostile audience, and little, if anything, you say will stick with them. If it's obvious you've jumped to seemingly optional topics, (which is what "While I have you" says), you'll lose the rest.
You've been ordered to push a boulder half-way up a hill. It's doomed to roll back down the moment you're done. Don't make extra work for yourself by uselessly pushing it all the way to the top.
Search 2010 Gen Con events
If you do it naked no matter how dull the content it will be an event they shall all long remember!
Quack, quack.
It would save some of us the trouble of putting similar material together if you could post the presentation somewhere.
One thing that a lot of people don't think about when discussing privacy, especially in social networking, is the topic of who the customer truly is. With free services online, the true customer is almost always the advertisers, and the product being sold is usually user information. http://www.weourfamily.com/blog/who_is_the_customer.jsp
What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.
In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee friendly") it may not be in your best interest to do the announcement. If it was a committee decision, then yes you should do it even if you don't agree with it. If it's the lawyers or the CEO or VP etc. cramming it down your throat, then consider, respectfully, asking him, her or them to do the announcement.
As to something you might say / do: consider suggesting that they get a nettop to use for personal business (if you allow such things on your network) and/or perhaps set-up or a secondary "guest" network that they might use for this purpose. Beyond that, the usual, use non-IE browser.... make sure you run some sort of virus scanner at home, run Spybot S&D every once in a while... don't ignore https warnings... The ATM thing may be a bit outside the scope of the talk.
Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.
Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?
Not that it's happened to me - I'm just sayin'...
This is an excellent time - since I have your captive attention - to point out that you were asked to present on a specific topic. What you are proposing is that you will provide a rose garden when all you were asked to deliver was a shrubbery. Don't make the mistake of thinking that these others topics, no matter how tertiarily related, will endear you to your audience of your manager. That said, I would find ways of incorporating some of them in the "effect of..." being a victim of social networking scams, schemes, malware, etc., etc.. Much better than dropping more info in their laps at the end and they probably won't be able to put two and two together and see how they are related. By the way, once you learn to deliver what has been asked for not only your manager but you will be much happier. Find other ways to get what you want. It's a skill; so learn it. See what I did and didn't do there?
I always tell our new starters not to share or write down passwords. Of course some of them will - generally the higher paid ones. At least this way we have tried and they can't claim that they didn't know because nobody ever reads the policy documents!
I'll see your Constitution and raise you a Queen.
I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.
I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.
Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.
I hope this helps out a little. Good luck!
"If you had the attention of an entire company...."
I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.
The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.
In other words, don't just give it, use it.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
ccleaner is pretty 31337 for clearing up. Oh and do not forget the option to wipe free space.
All cows eat grass!
Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
People tend not to listen to things that they're not interested in, so you need to make them interested. Come up with a real world example of how a normal person (like them) fell into one of the many traps on the internet (malware, phishing, you name it), got their info stolen, and wound up with a nightmare on their hands. You don't want to make it too intimidating, but give them a sense that it *CAN* happen to them. That way, they'll be interested in what you have to say, for their own good, as well as that of the company.
Resist the temptation. It's always a bad idea. That's why you seldom get the opportunity.
I have given this some thought. I would tell your employees to have a wonderful social life. Engage in Twitter, TPB, politics. Normal slander rules apply such as in Germany, England or wherever you are located.
HR should be don't ask, don't tell policy. If they do porn at night and end up on CNN, that could happen to anyone, its not a companies business other than normal company-image / chance-for-promotion type stuff.
The internet is just a bigger megaphone, not a new type of megaphone...
One thing about security is that people always take shortcuts, and one of the main outcomes of this is that data gets lost when it should never have been copied in the first place. A key example of this is when consultants take a copy of a database so that they can create a program to access the data. They don't need the data, they just need the schema. Get this into people's heads (think 'least necessary information' rather then 'easiest command') and it wouldn't matter how poorly your consultant handles your data, because they can't lose any of it.
Sounds like they are going for a more nuanced approach (and should be applauded for doing so). If they were going to cut it off a simple email would be explanation enough.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I used to work for a Fortune 10 company. They did surveys to see where we could improve internally. When the results were released, management would create (or pay to have made) an 8 hour training session. At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.
They would solicit for people to help drive the training sessions because they "had to be at an off site meeting", no doubt a golf course or Hooters or something.
Management got off free, and got bonuses for having the training handled, the employees were beaten into not complaining again.
My mom says I'm cool.
Focus on your assignment. The Security department can use the other material for newsletters.
You'll ... never ... have ... me!
(a la Lost Highway when the blonde version of Patricia Arquette enters the mysterious man's shack after it imploded back to a standing structure)
Other than that? Well, tell lots of good stories.
http://www.geoffreylandis.com
If it's not *specific* company policy, then don't say a word.
1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.
I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Put nothing on-line you wouldn't yell on a street corner.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Keep it short and simple, something like "You are going to get denied. If you find you are able to circumvent our security or see a problem with our security, let us know, otherwise, we'll eventually find out what's going on and you'll be held responsible."
Namaste
Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.
You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..
Think about the "lost password" questions most websites use... what do they ask?
Social networks are dangerous to secure organizations because they facilitate the very old and effective practice of social engineering. For example, one could use social networking sites to identify a person who works for a target organization, and then case or befriend that person to manipulate them, steal their identity, access rights, or even their entire computer. The most effective security is when people can't ascertain your employee's professional and personal associations. A skilled social engineer can do significant damage with basic information found on twitter, facebook, etc. Also, in my experience, low-tech threats like physical access, dumpster diving, bugging, and social engineering are far more effective and damaging than purely software and network-related security problems. Imagine how much trouble a disgruntled employee could cause with a bug in the boardroom.
Don't post anything on the internet anywhere on the internet if you think it is a risk to you or if you don't want anyone to see it.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.
There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.
Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.
Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".
AccountKiller
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.
Sorry. End rant. (preaching... choir... yup...)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I like the idea of a general education on security. I'm not sure what the motivation was for your corporate overlords, but educating users for their own sake is more likely to get them to be compliant at the workplace. Showing them how easy it is to get bugs from social networking sites and how to avoid them is a great idea. It lets them know how to develop good habits at home and thus they are better behaved at work, making your life easier.
prohibits asking advice about social networks, security and privacy on slashdot.
An all-too-quick 40 minutes? At a user/usage level? There's a LOT to choose from, but as a great start, try RFC2504. http://www.ietf.org/rfc/rfc2504.txt?number=2504 Pick and choose as appropriate to your needs. We tried to make it very useful as a reference for the generic user. You can even hand out copies if you like. For a bit more detail, and as a good read in case you get asked some lower-level questions, try RFC 2196, more specifically targeted for IT folks, and "Middle Managers" who have to at least be exposed to the concepts. http://www.ietf.org/rfc/rfc2196.txt?number=2196 Cheers, Steve PS(don't let the fact that these are TEN years old fool you, most of these concerns are still quite current, most companies (read: those of popular OSes) don't exactly *want* people to understand the why's because they start to question the why-not (yet)s. If you found any of this useful, or not, just reply here, Most if not all those email addresses are defunct at this point -- we've moved onto and into other things).
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
"Use Condoms....seriously."
Motorcycles, Robots, Space Gossip and More!
Many free websites, including social networking websites, use Ruby On Rails as a backend, which has been shown to facilitate the spread of viruses.
Link please. (not that I use Ruby)
If true, people deserve to know. If you're just spouting off libel (as AC), stop now. There is no true anonymity online. You'll run out of it sooner or later.
In other words: put up, or shut up.
According to Symantec, there has been skyrocketing rates of virus infections ever since websites like MySpace became popular.
This I'll believe (due to cross site scripting, etc). Many sites are guilty of such, but was this meant as a non-sequitur attack on Rails? (It sounds like it... despicable.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
"are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?"
You can't block access to these sites for employees that work out of the office.
If the wifi signal from the coffeehouse next door is leaking through your walls, you can't even block access to employees in the office, unless you firewall inside every box, lock down every box, and forbid employees from using their own gear on the premises. Good luck with that.
Unless mind-control techniques have improved significantly. there is no firewall that will prevent people from carrying information out of the building inside their own heads, to be later uploaded using equipment totally beyond your control.
I'm afraid you are describing an ideal world.
I'm a TA at a University and I think all teachers and trainers worldwide would drool at the possibility of entering their class just to tell them: "Hi, I have prepared a presentation of today's lesson, anyone interested ask me for it by email, now go play soccer!".
If security is really critical to your situation you have to a) evaluate whether they grasped the concepts b) establish a punishment mechanism for the 'bad' employees c) establish a rewarding mechanism for the 'good' employees. I know this looks like fascism or military training, but if your company wants to survive, it will have to take such drastic measures.
If your company just wants to scare them, even a a 'three strike' policy is not enough - Facebook is more potent than heroine.
Humanity has always spent decades teaching citizens what is good and what is evil, but still a significant percentage of them will commit a felony or a even crime if the motive is good enough.
Hello,
.
In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx
Regards,
Aryeh Goretsky
Dexter is a good dog.
When talking about privacy, you should probably be aware that very many people can now connect your IRL identity with your online identity. There aren't that many companies, where somebody's holding a presentation about social networking security. Speaking about social networking, you seem to have a Myspace page..
Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.
Of course this could be an advantage if you are looking for a career change to the porno industry. Or maybe a jopb with Fatwire (web CMS).
The main reason people do blatantly stupid things online is because their desire for their privacy has been eroded by both governments (terrorist! look out! be scared! Don't think about us filling our pockets and let economies crash!) and online merchants that mine your data, like Google. On top of that, the consequences have been played down - find a good story of someone who had their identity stolen and their life ruined.
It is clearly illustrated by the volume of people that think the Swiss are too uptight asking Google to do what it promised or face being taken to court - 10 years ago Google would not find it possible to make it possible to zoom in on someone's window from across the planet without getting shot by Data Protection people (in that context I find it intriguing that all the "other" EU Data Protection people have been silent - are Switzerland and Japan the last places on earth where privacy counts?).
Oh, note to idiots: before you start talking about "nazi gold" and "tax evaders" I suggest you do some research.
You could also highlight the Google Terms of Service, clause 11: it more or less states that they can take the pictures of your kids and use them, for free, anywhere, forever, and altered in whatever form they see fit. Think about that one..
Insert
People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
The party van won't come to you.
Nothing is totally harmless to everyone:
http://en.wikipedia.org/wiki/Methylene_blue#Adverse_reactions
I just don't believe in watertight aliases. You can work towards one, but you should never delude yourself that you have one. There might always be a chink in that armor you don't see.
-The world would be a better place if everyone had a hoverboard
The most important thing to hammer into everybody is: "You have to learn how to recognize and avoid security threats; technology only goes so far, but it is often surprisingly easy to spot security threats."
Other than that, there are a few rules:
1. Turn off all HTML and scripting in your email reader; if that is not possible, get one that can.
2. Use AdBlock Plus and NoScript (for Firefox) or similar.
It is a tiny bit inconvenient to have to explicitly allow scripting every time, but it has saved me no end of grief. In my workplace I am just about the only one that has never had any malware attack, and I get next to no SPAM either; the company filter captures about 5 per week, and sometimes one or two slip through to my inbox.
Giving a live example as an introduction, sort of like a case study, will make your presentation more interesting. They should see how they can relate the security / privacy issue to their specific context...even better is to hack something right there and then, before their very eyes! Everyone loves a performance, so, be a performer.
I'd plan my presentation to occupy at most 60% of the time I was given. Ask a couple of friends to attend and give honest feedback on your practice session(s). Your audience's attention span tends to be inversely proportional to its size. In your case, you'll be lucky if they even remember what you were talking about five minutes after you're done.
Most (even those who requested the presentation) will be expecting a yawning session. Surprise them with something short and compelling. Really, trust your audience to be able to fill in the gaps. Even idiots have moments of clarity. Point them to knowledge, don't try and force feed them it.
chances are you are never going to be able to do this again, and in the short term the security threats that your audience will be exposed to will be different, new and completely oblivious to the prophylaxis and methods you describe today.
So just tell 'em to wear sunscreen, 'cause that's always a good idea...
Steve -- If you have to call it a system, you don't know what it is.
Some things worth considering:
Like others are saying, stick to the topic you were asked to present. I have rarerly heard of any presentation were they gave too little information, most of the time it's the opposite. If your audience leave with a good experience, they learn and are more open to similar presentations later. Too much information and they leave learning little and will likely oppose similar presentations in the future.
Give real life examples! It's obvously very easy to dig up highly relevant cases and news articles etc. Create a good but short summary of any articles you include. The summary should highlight the issues and consequences that relates to your topic. And be sure to include various ways in which the company was exposed or individuals embarrassed etc. The most basic human instinct is fear, appeal to it by letting them know that one of them can end up loosing their job and/or embarrassed on the front page of the news as a result of their actions online. Putting the audience in the hot seat so to speak. The point is that I think it needs to directly relate to them individually, if consequences only relates to the company, many will forget/ignore.
Let them know that absolutely anything that get's posted online about them can live online as long as they live and probably longer. As was the case with pictures on Facebook.
I also think that a good opening to the presenation creates attention. Humour is what many choose, but do whatever feels natural, constrained/forced humour rarely works well.
The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security. http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf
There are folks with far more experience at providing a much more complete set of Security tips tailored to specific audiences than you can possibly come up with in the time you've been alloted to complete this project.
Show, don't tell.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
(I'm sorry if you already understand BCC. Either you don't, or you didn't understand my post.)
I didn't mention or discuss CC (the gpp did, barely). BCC is "blind carbon copy". In other words, pass this email on to these people, but don't distribute these email addresses along with the email.
For example: if you're sending out a newsletter to 2 dozen people, it's terribly impolite to place these in the TO or CC field, as everyone will now have a list of everyone else's email address (and any spam bots on any of those 2 dozen computers will harvest all of them, how rude). If you place all those addresses in the BCC field, then they will only see the senders email address. This is much more polite in most circumstances.
And for the record, CC can be very useful outside the company (as a preemptive CYOA technique). I have CC'd my boss on emails to clients, and I have CC'd clients on emails regarding 3rd party problems. I use it when I suspect I'm going to be accused of being lazy or incompetent when it's someone else's fault. (usually a customer on both counts; the CC to my boss saves him time and effort in diffusing certain people, since he doesn't need to check with me first.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.