Security / Privacy Advice?

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

Make it funny

[boxie]

You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.

that and tell them to be paranoid "if it seems dodgy, it probably is!"

KISS

[girlintraining]

Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.

Re:IT people get security wrong

[techno-vampire]

IT people setup security that's needlessly inconvenient.

How true! IT people seem to think that if you can make security tighter, you must, even where it doesn't make a difference. I once worked at a company where IT had set things up so that you had to log into three different databases to get your work done. Each one required a different ten-character password with at least one uppercase letter, one digit and one punctuation mark, and they all expired after thirty days. Sound good? What would you say if I told you that all three databases were on the local intranet and not accessible from outside of the firewall? There was no telecommuting, so you had to be on-site to reach the servers in question. The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.

Re:Mandatory?

[spinkham]

Good idea, but you'd have to dial it back a notch for most corporations.
Try these:

MI6 head outed on facebook by his wife, with many details. Viewable by all of the "London" network.
http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html [mailonsunday.co.uk]

Bank intern fired for lying about a family emergency, then pasting party pics of him dressed up as a fairy on facebook:
http://valleywag.gawker.com/tech/your-privacy-is-an-illusion/bank-intern-busted-by-facebook-321802.php [gawker.com]

Another example of being fired for putting dumb stuff on facebook:
http://www.liquidmatrix.org/blog/2009/08/13/social-networking-fail-fail-fail/ [liquidmatrix.org]

Plenty of fail, Safe for work.

Re:Mandatory?

[tverbeek]

If you want to point out other security issues, work them into the main topic. "The messages you post on MyFace aren't private... just like your e-mail isn't really private." "Stupid crap that you see advertised on Spacebook can contain viruses... just like random web sites can." "A site that tricks you into thinking it's Twitster can steal your login info... just like a fake ATM can." Etc. That way it's reinforcing the underlying principles, and not looking like an afterthought.

BCC

[gd2shoe]

Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.

I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.

Sorry. End rant. (preaching... choir... yup...)

RFC 2504

[zentechno]

An all-too-quick 40 minutes? At a user/usage level? There's a LOT to choose from, but as a great start, try RFC2504. http://www.ietf.org/rfc/rfc2504.txt?number=2504 [ietf.org] Pick and choose as appropriate to your needs. We tried to make it very useful as a reference for the generic user. You can even hand out copies if you like. For a bit more detail, and as a good read in case you get asked some lower-level questions, try RFC 2196, more specifically targeted for IT folks, and "Middle Managers" who have to at least be exposed to the concepts. http://www.ietf.org/rfc/rfc2196.txt?number=2196 [ietf.org] Cheers, Steve PS(don't let the fact that these are TEN years old fool you, most of these concerns are still quite current, most companies (read: those of popular OSes) don't exactly *want* people to understand the why's because they start to question the why-not (yet)s. If you found any of this useful, or not, just reply here, Most if not all those email addresses are defunct at this point -- we've moved onto and into other things).

The .GOV.UK approach

[Aryeh Goretsky]

Hello,

In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx [cabinetoffice.gov.uk].

Regards,

Aryeh Goretsky

Re:Mandatory?

[martyros]

Good advice I've gotten for a presentation:

1) Have a point. What is the goal of your presentation? e.g., "I want everyone to walk out of the room knowing that..." try to keep this relatively short, like 3 major, related points. Then focus everything in your presentation around getting across those points. Depending on the type of presentation, I may work the points in to the introduction and the conclusion; but they have to be there implicitly, otherwise your talk will likely just be a bunch of random information, and your audience won't remember much.

2) Consider where your audience is coming from. You can keep an audience's attention in several ways, but one simple straightforward way is to start with something from the audience's perspective, and keep coming back to the audience's perspective. If you start with a story that connects with them, and then every time you finish some new piece of information you say, "Now, you may be thinking X. Well, ..." and respond to that, hopefully in a way that will lead to your next point.

3) People remember pictures about 1000x more easily than words, and stories about 100x more easily than plain prose points. Use pictures and stories, but make sure your pictures and stories actually support your point from #1. If you just tell a good joke, or share a crazy-looking picture, everyone will laugh and enjoy the presentation; but if it doesn't have anything to do with your points, they'll remember the picture or the story but not your points. In that case, you might as well have given them a stand-up comedy routine.