Security awareness is something we hear more and more about these days and there is good reason for it.
The threats posed by hackers and other bad guys on the internet have evolved in recent years. The days of having to worry about nothing more than a virus that played a tune through your computer’s speakers whilst displaying an interesting graphical rendition are long gone. Instead, we live in a world where organised criminals target individuals and businesses in the hope of making money through the theft or ransom of data.
Often, it is said, the root problem in terms of securing computers and networks can be traced back to individual users or employees who slip up because they are not aware of the risks posed within their environment, or how to deal with some of the common attack techniques such as phishing emails.
So how can we build an effective security awareness program?
In my opinion there are two different approaches required. The first evolves around adult users, either at home, or in the workplace. Both can benefit from a formalised training program, of which there are many to choose from (so its worth taking advantage of a free trial to assess effectiveness ahead of committing to one).
The second option is one that takes a much longer-term view though. As such, it will not be of benefit to the current working age generation, but it will pay dividends in the future. That is to say, we need to start building security awareness and training into the educational curriculum.
Students nowadays have a very different outlook to their parents which is why many cannot go to mum and dad to get good advice on the topic.
When I was at school (and I’m not so old even now) none of the students had heard of the internet, and seeing computers networked together wasn’t exactly a common occurrence.
Contrarily, my kids were introduced to the web from their first year in primary school.
My first computer was a ZX81 (remember those?), followed by a ZX Spectrum then a BBC Micro. By the time you factor in tape decks, power bricks, etc. they were hardly portable and so never left home.
Children these days think nothing about slipping an infinitely more powerful smartphone into their pocket before the school day even starts though. And, with the way technology marches ever forward, they are happy to discard those devices every couple of years as they become seemingly obsolete. Maybe I’m showing my age but they don’t seem to value such devices which probably explains why my kids’ friends (my children know the value of money) are never too distraught when they lose their phones (I’m sure they think thats the quickest way to get an upgrade).
What they don’t consider, however, is the security aspect of losing a device. If they are seemingly unaware of the financial cost of replacement of the device itself, how are they ever going to value the data stored on their phone?
Considering how many children I know who don’t use pass codes on their phones – “whatever. yoyo,” seems to be the stock reply to advice given (whatever that means) – it concerns me how they then use them for, well, everything. From online banking to taking risque photos, to commentating on every moment of their lives on Facebook, the lack of awareness is shocking.
And yet this is the time when we can make the most difference. Children typically learn things quicker than adults and often retain information far better than we do, especially it seems where shiny new tech is concerned.
So, as much as the home user needs a bit of guidance, and the employee needs a robust and on-going training and awareness environment, perhaps the ‘yoof’ of today should be the key area in which society as a whole targets its efforts?
Its pleasing to see that the Department for Business, Innovations and Skills has recognised the skills shortage in the area of cyber security and that it is considering teaching children about careers in the industry from age 11 upwards but surely we can do better than that?
I’m aware that there are some groups who do go into schools and give some excellent advice on computer security but these appear to be one-offs.
Instead of that, perhaps we could introduce discussion about security and privacy into the computer science curriculum itself?
Several years at school talking and learning about what would happen if someone got hold of your Facebook account, gained access to your personal photos or posted malicious tweets on your Twitter account would see students leave the educational system with a good sense of how such issues affect them personally. By the time they enter employment they will be predisposed towards a security mindset which will benefit their employer immensely.
What do you think?
Should security awareness be a topic first introduced in the workplace or should it be something that is firmly embedded before the final school bell rings?