When cyber awareness undermines cyber security

Recently I moderated a workshop on cyber strategy, attended by persons in the Chief Information Officer function at large(r) companies and institutions. As a 70 minutes workshop does not get a cyber strategy for a company, I aimed for creating awareness that cyber security is more than just thinking about the PC’s or servers of a company and installing more difficult passwords. It looked like everyone went home with a few new insights to deliberate when creating a cyber strategy for their respective companies and institutions. To give away one hint, I started with this question: “You’re about to go on holiday. The car is packed, wife and kids sit in the car and you are the last one in the home. What do you do before you leave”? Should you be interested to learn more, feel free to contact me. But there is more I want to share with you here.

Undermining cyber security
This is not about naming and shaming, which I will not do, but I just want to share these examples, as awareness concerning cyber security goes so much further then most people think and the implications of, unconscious, choices made can be huge for a company or institution. The actual everyday behaviour of employees, behaviour they may not even give a thought to or be aware of, can undermine the security of a company completely. It seems like there is a great lack in understanding cyber security, the risks of online behaviour and a great gap in cyber awareness. Let me give two examples.

Two examples from everyday life
Recently I attended a conference. One of the topics was cyber security. At the opening the chair had an iPad in his hands from which he read his notes. Between his main message he admonished that he more or less had had an argument with his young daughter that the iPad went along to work that day. So no gaming for the young lady.

Assuming this is the company iPad, the one that is plugged into the company’s network, let’s ponder the following and I’m purely hypothesizing here. The daughter does not only play games installed on the iPad, but surfs around a little to free game sites or downloads some illegal copies of games onto the iPad. Who knows what else is on the iPad since and plugged into the companies network?

This comment was made in all innocence, an example of everyday life, a comment we may all make regularly, but the chair also introduced a track on cyber security. It shows how far we still have to go to obtain cyber security, through awareness.

Another presentation had a security officer of a company admitting that he had Facebook on his company’s smart phone. The same sort of questions can be asked here, e.g. on online jokes sent around and opened.

How do these examples tie in to your behaviour and experience?

Cyber security and friends
In other words, the message here is, that cyber security does not only entail your workers, but perhaps or most certainly, even the online behaviour of family and their friends.

I fully realise that the trend of mobile devices that have become a part of the office and private realm is unstoppable in 2012, but goes to show the tremendous challenge cyber security personnel faces in making and keeping a company’s ICT safe and secure. It is not only awareness we are talking about, but also the changing of behaviour of people as a part of that awareness. The ease of use is turning against security. It looks like we humans are the weakest link in this chain. So what answers can industry come up with to make a safer ICT and online environment?

Changing behaviour starts with awareness. Contact me if you like to know more.

Wout de Natris, De Natris Consult

Leiderdorp, 20 November 2012

Advertisements

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Botnets, Cyber awareness, Cyber crime, Cyber education, Cyber security, Hacking and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s