Promoting Cyber HygieneInfosec Pros Should Take Notice, Heed Lessons
In the banking and healthcare sectors especially, there's been a lot of talk lately about improving employee and customer awareness of online security.
That's why this recent news story caught my eye:
How are financial institutions, healthcare organizations and government agencies educating their employees and customers about the risks they face?
The National Cyber Security Alliance, in partnership with McAfee and CyberSmart! Education, has released resources for K-12 schools nationwide to educate students on the importance of security and online safety.
"Our K-12 students are more oriented with the digital atmosphere than ever before," says Pamela Warren, cybercrime strategist and director of global public sector and critical infrastructure initiatives for McAfee. "It's important to start arming them with smart resources to protect themselves online from the beginning of the formal education process and to continue reinforcing those messages throughout their K-12 experience."
Warren is right, of course. As someone who grew up in the cyber era, I know for a fact: Students K-12 are met with technology everywhere they turn, from their homes, their schools and out in public. I've even seen parents hand children their smartphones to play with while inside stores.
Yet, while children are plugged into the Internet like never before, how many are really paying attention to the security considerations interlaced in every action they take online? I know online security wasn't my primary consideration when I first discovered the Internet and social media!
NCSA's teaching materials, based on the topics and advice of the national STOP.THINK.CONNECT public cyber education campaign, aim to instill some basic guidelines that students can follow.
Some of the posters created by NCSA teach the following tips regarding the development of strong passwords:
- My password is long.
- My password mixes LeTtERs #umbers AND $ymbol!#
- My password has 8 characters or more.
- My Password mixes uPpEr and LoWer case L3++3r$, Num&3r$ and $ym&0!$!
For middle and high school students, more advanced activity sheets are provided to get them to critically think about the messages provided in the above-mentioned posters. One question asks: Experts have determined that a password should have a minimum of eight characters. Why eight and not seven? Why not 25? What is magical about the number eight?
An overlooked item that may (and should) come later is social media. We have the opportunity to give out so much information via social networking sites, and with many of these sites updating their privacy settings regularly, students may not be aware of the dangers they're putting themselves in by releasing so much personal information. Raising awareness on issues around social media, protecting personal information and knowing what one's putting out is a prime area to offer educational materials on.
Introducing cybersecurity education into the classroom can only help these students, as they will be facing a technological world that many of us can't even fathom. And just as learning to brush your teeth everyday at an early age helped in promoting dental health, knowing how to craft a strong password, for example, aids in promoting cyber hygiene.
But information security leaders should also take notice. The schools are taking advantage of the opportunity to educate students on the threats that exist in cyberspace - the vulnerabilities that exist on desktops and devices. But how are public- and private-sector organizations of all types educating their employees and customers about the risks they face?
And we aren't just talking about theoretical risks, either. How many times have we seen employees fired because someone posted private information on a public site? How many organizations have fallen victim to fraud because someone clicked on a bad e-mail? Just look at some recent news items:
As my colleague Tracy Kitten points out in a recent blog, stronger customer and member education is a core tenet of the Federal Financial Institutions Examination Council's new online authentication guidance [See How to Curb ID Theft].
Healthcare organizations are constantly falling victim to data breaches caused by the mistakes of insiders - most commonly unencrypted backup tapes being stolen and employees not monitoring and securing those items properly [See TRICARE Breach Affects 4.9 Million].
With the widespread use of smart phones, organizations everywhere are wrestling with how to secure the mobile devices they issue, as well as the ones employees now bring to work with them. (In fact, get used to the term BYOD - Bring Your Own Device. You're going to hear it a lot going forward.) The U.S. Department of Veterans Affairs is out front of this issue and has just taken steps to ensure the security of the iPads and iPhones its employees will be using [See VA's Plan for Mobile Device Security].
And let's not forget last spring's RSA breach, which impacted not only RSA itself, but also the various organizations and government agencies that utilize RSA's SecurID token. And all because an employee opened up a bad e-mail.
These news events hammer home not just that the cyber threats and risk are real, but that every organization must play a role in educating their employees, partners and customers.
So, while it's good to see the schools talking about cybersecurity awareness, it's time to see more private and public sector organizations acting on the topic.
Don't get me wrong: the National Cyber Security Alliance is a great way to kick off the awareness initiative. We all just need to realize that when these students graduate and enter the workplace - the cyber education has only just begun. The threats are going to continue to evolve, and so must our awareness programs.