Forgot your password?
typodupeerror
Privacy Security

Security / Privacy Advice? 260

Posted by kdawson
from the all-ears dept.
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
This discussion has been archived. No new comments can be posted.

Security / Privacy Advice?

Comments Filter:
  • Mandatory? (Score:5, Insightful)

    by DoofusOfDeath (636671) on Thursday September 17, 2009 @07:30PM (#29460549)

    I'm going to have the mandatory attention of every employee

    No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.

    • Re:Mandatory? (Score:5, Insightful)

      by CannonballHead (842625) on Thursday September 17, 2009 @07:42PM (#29460673)
      I have found that food helps everyone like you more; perhaps he should provide lunch. Or at least cookies.
      • by theeddie55 (982783) on Thursday September 17, 2009 @08:02PM (#29460859)
        But cookies can cause security problems if not handled properly.
    • Re:Mandatory? (Score:5, Insightful)

      by PylonHead (61401) on Thursday September 17, 2009 @07:48PM (#29460741) Homepage Journal

      This is correct.

      Present just the information you've been tasked to convey.

      Present it in at least 2 different ways.

      Take questions.

      Summarize once more and let them out early.

      Honestly, the more you try to cram in there the less they're going to take away.

      • Re:Mandatory? (Score:5, Insightful)

        by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Thursday September 17, 2009 @08:10PM (#29460933)

        Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.

        So when you say:
        Take questions.

        You are wrong.

        Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.

        • Re: (Score:3, Insightful)

          by dave562 (969951)

          I like the idea of asking questions. In the context of the speech the speaker might ask, "When was the last time you were in danger of having your personal information compromised?" He can then go on to offer a couple of examples that illustrate his point of how wide spread the problem is.

          • Re: (Score:3, Insightful)

            by wisty (1335733)

            Another good question: Who has ever sent and email that they wouldn't want a third party reading?

        • by PylonHead (61401)

          Sounds like a good idea to help engage people.

          But seriously, "Take questions. You are wrong." Perhaps that was a little strongly worded. I mean, it's hardly controversial to take questions at the end of a presentation.

        • Re: (Score:2, Interesting)

          by a09bdb811a (1453409)

          This is the worst possible advice. It's a presentation, not a seminar. There's nothing more annoying than some blowhard trying desparately to get the audience involved. Present what needs to be presented and be receptive to questions if, when, and as they come. But don't block by trying to dig for responses.

      • by TheCarp (96830) *

        I would agree. However, I don't agree that these topics can't be worked in, or better, tied in.

        How is a social networking site different than hanging out in a bar with your friends? There are risks in both places, but there are similarieties that can be drawn between the risks. Analogy can be drawn between phishing attacks arranged through Social networking sites and ATM skimming.

        How do you protect yourself? Similarities there too: Pay attention. Be skeptical. Still, it might not be enough, true in both cas

    • Re: (Score:2, Insightful)

      Boobs. No really. Find a ton of pictures of chicks that they posted and regretted.

      Put under it: "Do you want this to be your personal data." On the next slide: "Once it's on the internet. It'll never be off the internet."

      Maybe separate presentations based on gender/sexual orientation.

      1) Everyone will be captivated.
      2) It'll make the point rather clear.

    • by EkriirkE (1075937)
      Be mindful what is considered sexual harassment, too.
    • Re:Mandatory? (Score:5, Insightful)

      by commodore64_love (1445365) on Thursday September 17, 2009 @08:09PM (#29460921) Journal

      >>>every seconds of unnecessary content will make them despise you more.

      I love mandatory meetings.

      It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!

      • Re: (Score:3, Insightful)

        by Mikkeles (698461)

        I really hate doing nothing at work; I'd rather do my job.

    • Re: (Score:3, Informative)

      by tverbeek (457094)

      If you want to point out other security issues, work them into the main topic. "The messages you post on MyFace aren't private... just like your e-mail isn't really private." "Stupid crap that you see advertised on Spacebook can contain viruses... just like random web sites can." "A site that tricks you into thinking it's Twitster can steal your login info... just like a fake ATM can." Etc. That way it's reinforcing the underlying principles, and not looking like an afterthought.

    • Re: (Score:3, Informative)

      by martyros (588782)

      Good advice I've gotten for a presentation:

      1) Have a point. What is the goal of your presentation? e.g., "I want everyone to walk out of the room knowing that..." try to keep this relatively short, like 3 major, related points. Then focus everything in your presentation around getting across those points. Depending on the type of presentation, I may work the points in to the introduction and the conclusion; but they have to be there implicitly, otherwise your talk will likely just be a bunch of random

  • Make it funny (Score:2, Informative)

    by boxie (199960)

    You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.

    that and tell them to be paranoid "if it seems dodgy, it probably is!"

  • Can't hear you (Score:3, Insightful)

    by sakdoctor (1087155) on Thursday September 17, 2009 @07:32PM (#29460569) Homepage

    Too busy leaking private info on my crackberry.

  • krsmav (Score:5, Insightful)

    by krsmav (1410223) on Thursday September 17, 2009 @07:37PM (#29460637)
    When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.
  • by sfled (231432) <<sfled> <at> <yahoo.com>> on Thursday September 17, 2009 @07:43PM (#29460675) Journal

    Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.

    • Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.

      ...but great for getting the audience's attention. Between the "Oooh, Pwnies" commenters, "Hahaha, Boobies" leerers and "Help, I'm being harrassed" brigade (and yes, I expect there will be representatives of all genders and orientations in all three groups if the audience is large enough), it'll *definitely* be *noticed*. Possibly career-limiting, but *definitely* noticed.

      • Re: (Score:3, Insightful)

        by L4t3r4lu5 (1216702)
        Create an embarassing or humorous photo out of several employees on Facebook, ones which you will see in the meeting. Leave enough so they know where the image came from, but make the composit odd enough (even use your own face for extra brownie points) to leave a lasting memory for everyone without identifying people easily. The people who see their own photos will either laugh or be uncomfortable, but the point is made.
  • by nethenson (1093205)
    "I'm going to have the mandatory attention of every employee and ..."

    Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.
  • One line (Score:5, Funny)

    by antifoidulus (807088) on Thursday September 17, 2009 @07:44PM (#29460687) Homepage Journal
    "If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"
  • by Saija (1114681) on Thursday September 17, 2009 @07:44PM (#29460689) Journal

    on the security and privacy concerns relating to social networking

    I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?
    Note to myself: don't use /. at work

    • Re: (Score:3, Insightful)

      by piojo (995934)

      Maybe they treat their employees like adults and allow them to take breaks at times. Installing an internet filter is almost demeaning. It's kind of like drug testing, in fact. Companies that pull this shit don't believe in evaluating employees based on performance--instead, they really, really want you to follow the rules.

      • Re: (Score:3, Interesting)

        by ajlisows (768780)

        I agree with you to some extent. The place I work is small (somewhere in the 80-100 desktop/laptop range) and did not have any security/internet policies in place whatsoever. We are a subsidiary of a much larger foreign company and they asked us to draft something up. The job fell to me. I considered internet filtering and decided that we should block sites that could possibly cause liability issues for the company. My list? Porn sites, for a few reasons. I figure if someone sees there is the possibil

    • by fluffy99 (870997)

      Sure you can block the handful of ones that you know about. But if that's all you rely on be prepared for it it to become a game of whack-a-mole, as the number of sites is growing. Do you really want to have to police this? Or would you rather put out a clearly defined policy, show the users you trust them to behave instead of treating them like inmates, and hammer the few folks that are too dense to follow the policy?

    • "are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?"

      You can't block access to these sites for employees that work out of the office.

      If the wifi signal from the coffeehouse next door is leaking through your walls, you can't even block access to employees in the office, unless you firewall inside every box, lock down every box, and forbid employees from using their own gear on the premises. Good luck with that.

      Unless mind-control tec

  • by Kohath (38547) on Thursday September 17, 2009 @07:44PM (#29460693)

    Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.

    I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.

    IT needs to be responsive to user needs for security to work right in an organization.

    • by techno-vampire (666512) on Thursday September 17, 2009 @08:05PM (#29460873) Homepage
      IT people setup security that's needlessly inconvenient.

      How true! IT people seem to think that if you can make security tighter, you must, even where it doesn't make a difference. I once worked at a company where IT had set things up so that you had to log into three different databases to get your work done. Each one required a different ten-character password with at least one uppercase letter, one digit and one punctuation mark, and they all expired after thirty days. Sound good? What would you say if I told you that all three databases were on the local intranet and not accessible from outside of the firewall? There was no telecommuting, so you had to be on-site to reach the servers in question. The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.

      • Re: (Score:3, Interesting)

        >>>The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.

        Yeah there is.

        - "Hello IT."
        - "Yes I forgot my password." (i.e. lie)
        - "Again? You forgot your password last week too!"
        - "Yeah I know but I use three different servers, and your policy makes me have to reset my password about every 10 days. I can't possibly remember all of them when the word keeps changing all the time."

        After a couple times of these ca

        • by element-o.p. (939033) on Thursday September 17, 2009 @08:43PM (#29461215) Homepage
          Wrong.

          It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.
          • by Alpha830RulZ (939527) on Thursday September 17, 2009 @11:44PM (#29462289)

            and they expire the account if you don't log in every 30 days. Which you don't if you did it right the first time. Which happened to me yesterday. And cost us 9 hrs of customer visible downtime until the drone in distributed systems management could reset the account. Who was out on a dental appt. Whose backup didn't have a login on the system. Because of an expired account. No shit.

            But I rant...

        • by Kohath (38547)

          Our IT would handle this in two ways:

          1. Take a variable amount of time and then change the password for you. Continue to do it. Over and over and over and over. Act clueless when ask why they don't just fix the underlying problem. You can login now, what are you complaining about?

          or

          2. Ignore you.

          You can't get your work done? Stop forgetting your password or we'll hire someone with a better memory.

    • by rantingkitten (938138) <kitten AT mirrorshades DOT org> on Friday September 18, 2009 @01:05AM (#29462713) Homepage
      Tell them not to download and install anything "fun" for Windows.

      Alright, the zealot in me just has to step up.

      The overwhelming majority of rank-and-file office workers don't even need Windows. Really. They don't.

      They need email, web browsing, spreadsheets -- usually nothing particularly demanding -- IM, and not much else. In this day and age of online CRMs and such, most office workers could get away with little more than a browser.

      Why are these people even using Windows?

      Sure, there are always the accountants who have that Excel macro they wrote eight years ago that absolutely will not translate into Open Office. Fine. And you have those three guys who use specialised CAD software. Great. Those people can use Windows.

      But the vast majority of the sales crew, administrative staff, and damn near everyone else, does not need Windows. Why are we pouring such huge amounts of money into this crap?

      "But kitten! We have an application written thirty seven billion years ago that only works on IE!"
      Great. You can either spend a bit now to rewrite it so it works on any platform, or you can continue to throw thousands of dollars and thousands of manhours, year after year, at the effort of keeping this thing propped up. When are you going to throw in the towel?

      "But kitten! The retraining! My team only knows Windows!
      No. Your team does not "know" Windows, any more than they "know" engines because they drive a car. They know, by pure memorization, that for email they should click this, for the shared network drive (which they probably call "the office drive") they click that, and for Word they click here. They know how to use a couple of applications but that is not OS-specific. The reality is, if you installed Ubuntu on every one of your sales team's computers, and told them "It's, like, the new Windows Longhorn!", they'd grouse about it for a day and get over it. Your "team" does not "know Winedows". You didn't train them in "Windows", you trained them to know your specific business applications, most of which are online and are therefore OS agnostic.

      So you can either throw more and more money and manhours at keeping your staff on Windows because they "know" Windows, but curiously need to be told over and over how not to break Windows by downloading things, and lose hours of time because they effed-up Windows once again and had to wait for IT to re-image the machine...
      ...or you can have them stop using Windows because they don't need it.

      sigh.


      I know, yes, I know, there are always those few sitations where Windows is necessary. And some smartass always has to pipe up with "Well, in MY company we haev this GUY who has a Windows only APPLICATIOn and we couldn't SURVIVE..."

      Spare me.

      The truth is we -- as an IT professional collective -- throw so, so, so much money and time at keeping the Windows lusers safe. Trying to "educate" them, fruitlessly. Tracking licenses. Buying more upgrades. Making sure to roll out new "virus definitions". Admonishing users time and time and time and time again: "Stop downloading that. Don't install that. Quit forwarding that email. Don't click that for god's sake."

      When is it time to stop treating the symptoms? Attack and remove the cause, which is Windows. If Windows is not exactly the cause, per se, it is certainly the enabler.

      Please note: Using Linux (or any other OS) will not stop idiots from chattering about private company information in public. But that is a managerial problem, not a technical problem.

      Note that using Linux will not stop your idiot employees from naming names on Facebook and Myspace and Diggwoot and Farkmeme. But that is a managerial problem, not a technical problem.

      Using Linux WILL prevent your employees from contracting viruses that email random -- often confidential -- documents to random
  • by 3Cats (113616) on Thursday September 17, 2009 @07:47PM (#29460713)

    explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!

    Farkin' lunch thieves...

    • Pick something poisonous but tasteless. Nothing lethal.

      Make sandwich with substance.

      Sit and wait.

      • Re: (Score:3, Funny)

        And spend several years in jail for 3rd degree manslaughter. A wiser course is to use something harmless but effective, like laxative or Syrup of ipecac

        "Hey John you've been disappearing a lot. Are you sick?"
        "Yeah man... I threw up."
        "Huh. Hey did you happen to see what happened to my sandwich? Some fool ate it. I'm glad I'm not him because it's a week old."

        • What part of 'nothing lethal' did you miss?

          Just a poison that makes them sick, I'd consider syrup of ipecac a poison.

          • by gandhi_2 (1108023)
            syrup of ipecac should only be administered under order of a physician. it's fallen out of favor because you only throw up around 85% of your stomach contents and about 15% of people don't throw it up at all.... and it's a cardiotoxin....so all the non-puked ipecac starts to poison you. so you would be poisoning them. besides, the smell would give it away.
          • Re: (Score:3, Insightful)

            by tomhudson (43916)

            Better yet, put a teaspoon of methylene blue in a 1- or 2-litre bottle of coke or pepsi.

            Let suspect drink it.

            Let them get all alarmed the next day because they're peeing green or purple.

            Just a couple of drops in a glass does the job.

  • by Anonymous Coward

    Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:

    Unexplained Affluence - they have more money than you would expect from their job/life.

    Undue Interest - they show up in your department asking questions but have no work-related purpose.

    Affiliation - they express low affiliation with the company, or high affiliation with other interests.

    Work Issues - they are not happy with their work or feel that they have n

    • Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.

      You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..

      Think about the "lost password" questions most websites use... what do they ask?

  • by syousef (465911) on Thursday September 17, 2009 @07:47PM (#29460725) Journal

    My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.

    Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.

    If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.

    • Puts already blocked all that. No complaints. Ya should be working not socializing anyway.

      • by QuantumG (50515) *

        Henry Ford called, he wants his Scientific Management textbook back.

        A happy employee is a productive employee. Modern management is about making employees feel valued and trusted. They do their job because they get satisfaction out of it, not because someone is behind them cracking the whip.

        Banning social networking sites is the exact opposite of what you need to do. You should be encouraging your employees to have fun at work while showering praise on their work. Yes, saying "thank you for doing your j

        • Re: (Score:3, Insightful)

          Don't blame Henry. He was part of the deal, but he was just doing what that fascist Taylor said to do. Taylorism needs to be obliterated.

      • by syousef (465911)

        Puts already blocked all that. No complaints. Ya should be working not socializing anyway.

        Spoken like a fool that thinks working means talking to a machine and not to other human beings. You shouldn't be spending excessive time on personal communication BUT that does not mean you don't talk to people and social networks CAN be a good way to do it under the right set of circumstances. If you need to treat your employees like thieves that will take every opportunity to slack off you have MUCH bigger problems

    • Sounds like they are going for a more nuanced approach (and should be applauded for doing so). If they were going to cut it off a simple email would be explanation enough.
    • I used to work for a Fortune 10 company. They did surveys to see where we could improve internally. When the results were released, management would create (or pay to have made) an 8 hour training session. At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.

      They would solicit for people to help drive the training sessions

      • by syousef (465911)

        At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.

        If you're going to have your time wasted, why care that it's the same 8 hour training session. In fact since you're getting nothing from it the consistency means you can slack off and still answer questions about the training. I'd say complain away.

  • or at least mind-numbing forgetfulness.

    Use of the Internet should generally be remembered to be nonsecure and suspect.

    Lots of people will forget, because they are tired, pushed, harangued, or pissed off at their boss or coworkers.

    Trying to instill constant vigilant attitudes will be REAL tough.

    Maybe Browser pop-ups reminding employees of the latest intrusion or hazard of the day is not so bad as a reminder. (Please no bricks) If I was to design a popup, it would be a one liner with a link for more info. an

  • by Kyle (4392) on Thursday September 17, 2009 @07:48PM (#29460733)

    Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.

    Unknown Entries:
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
                authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)

    Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.

    Really get their attention with some specifics like that.

    • by s.d. (33767) on Thursday September 17, 2009 @10:03PM (#29461751)

      You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?

      Everyone is being told, "This discussion of social networking and how to protect yourself and the company is mandatory." Don't waste their time with things that they won't understand and are totally off-topic.

      • by forkazoo (138186)

        You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?

        Of course they don't care. That's the point of making a presentation. Do it well, and you can make them interested enough to not be belligerent to policy. They can't know about the strangers in the ethers alway

    • I've shown people these kinds of logs in real time. It does get a message across, though it's not clear whether the effect lasted.

      So to get a real improvement, show them those logs and then give them practical advice on using a good password management system.

  • Like the animal kingdom, if it looks interesting and has lots of bright colors, it is probably deadly. Stay away.

    Don't post anything online that you wouldn't want your grandmother, pastor and organized criminals to see. Or, don't post anything that shows anything you wouldn't want your pre-teen daughter to be doing.

    Terms of service change on a whim. There is no such thing as online privacy. The internet never forgets. Don't trust the delete key. Don't say in e-mail what you wouldn't be willing to say

    • Re: (Score:3, Insightful)

      by MichaelSmith (789609)

      Don't use your internal password for anything external, like your hotmail account.

      If you need to share your data with co-workers don't give them your password so they can log in and do it.

      If in doubt, don't.

    • BCC (Score:3, Informative)

      by gd2shoe (747932)

      Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.

      I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.

      Sorry. End rant. (preaching... choir... yup...)

  • by beefnog (718146)
    If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.
  • KISS (Score:2, Informative)

    Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.

  • Nothing says Commitment to Quality like deciding that 40 minutes is the right length of time for an important lesson, then assigning someone else to creating the lesson content.

    As others have noted, people are already going to be surly about a mandatory meeting. For those people who actually use social networks, they're going to be surly about whatever restrictions your company has decided on. You can buy a bit of forgiveness by letting them out early. It might seem like you're passing on a golden opp

  • If you (Score:3, Funny)

    by msimm (580077) on Thursday September 17, 2009 @07:54PM (#29460797) Homepage
    If you do it naked no matter how dull the content it will be an event they shall all long remember!
  • It would save some of us the trouble of putting similar material together if you could post the presentation somewhere.
  • What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.

    In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee

  • by omkhar (167195) on Thursday September 17, 2009 @07:59PM (#29460839)

    Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.

  • by billybob_jcv (967047) on Thursday September 17, 2009 @08:06PM (#29460891)

    Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?

    Not that it's happened to me - I'm just sayin'...

  • I always tell our new starters not to share or write down passwords. Of course some of them will - generally the higher paid ones. At least this way we have tried and they can't claim that they didn't know because nobody ever reads the policy documents!
  • Advice (Score:5, Interesting)

    by Anonymous Coward on Thursday September 17, 2009 @08:18PM (#29460999)

    I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.

    I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.

    Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.

    I hope this helps out a little. Good luck!

  • None And Then Some (Score:3, Interesting)

    by DynaSoar (714234) on Thursday September 17, 2009 @08:24PM (#29461055) Journal

    "If you had the attention of an entire company...."

    I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.

    The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.

    In other words, don't just give it, use it.

  • Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on [whatever]. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly.

    Resist the temptation. It's always a bad idea. That's why you seldom get the opportunity.

  • One thing about security is that people always take shortcuts, and one of the main outcomes of this is that data gets lost when it should never have been copied in the first place. A key example of this is when consultants take a copy of a database so that they can create a program to access the data. They don't need the data, they just need the schema. Get this into people's heads (think 'least necessary information' rather then 'easiest command') and it wouldn't matter how poorly your consultant handles
  • Don't Give Advice (Score:5, Insightful)

    by mpapet (761907) on Thursday September 17, 2009 @09:26PM (#29461503) Homepage

    If it's not *specific* company policy, then don't say a word.

    1. Because no good deed goes unpunished.
    2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
    3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.

    I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.

  • Briefly... (Score:3, Interesting)

    by hyades1 (1149581) <hyades1@hotmail.com> on Thursday September 17, 2009 @09:35PM (#29461549)

    Put nothing on-line you wouldn't yell on a street corner.

  • Tell all your web admins to focus on the real security threat - locking down and upgrading servers exposed to the internet. All this hoopla about social networking is great and all, but seriously the threat that will most likely take down your company or network is your exposed equipment and servers. Quit slamming the users with "Don't do this don't do that" crap, policies and spend your time and money on the real threats. Users will do what they can do. If you don't want them to visit Facebook, filter it.
  • Don't post anything on the internet anywhere on the internet if you think it is a risk to you or if you don't want anyone to see it.
  • Presentation Tip (Score:3, Insightful)

    by Lord Byron II (671689) on Thursday September 17, 2009 @09:57PM (#29461709)

    Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.

  • Be Skeptical. (Score:3, Insightful)

    by Vellmont (569020) on Thursday September 17, 2009 @10:06PM (#29461761)

    There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.

    Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.

    Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".

  • RFC 2504 (Score:2, Informative)

    by zentechno (800941)
    An all-too-quick 40 minutes? At a user/usage level? There's a LOT to choose from, but as a great start, try RFC2504. http://www.ietf.org/rfc/rfc2504.txt?number=2504 [ietf.org] Pick and choose as appropriate to your needs. We tried to make it very useful as a reference for the generic user. You can even hand out copies if you like. For a bit more detail, and as a good read in case you get asked some lower-level questions, try RFC 2196, more specifically targeted for IT folks, and "Middle Managers" who have
  • The .GOV.UK approach (Score:3, Informative)

    by Aryeh Goretsky (129230) on Friday September 18, 2009 @01:36AM (#29462869) Homepage
    Hello,

    In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx [cabinetoffice.gov.uk].

    Regards,

    Aryeh Goretsky
  • Terrible idea (Score:5, Insightful)

    by petes_PoV (912422) on Friday September 18, 2009 @03:57AM (#29463589)
    Don't freelance - stick to the topic assigned to you.

    People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
    Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."

Those who can, do; those who can't, simulate.

Working...