Security / Privacy Advice? 260
James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"
Mandatory? (Score:5, Insightful)
No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.
Re:Mandatory? (Score:5, Insightful)
Re:Mandatory? (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Well, most places I've worked out, the talk would be very short.
NO access to social network sites, or IM...they are verboten, and generally blocked at the firewall for security concerns.
You wouldn't need many cookies for that talk..short and to the point.
Re:Mandatory? (Score:5, Insightful)
This is correct.
Present just the information you've been tasked to convey.
Present it in at least 2 different ways.
Take questions.
Summarize once more and let them out early.
Honestly, the more you try to cram in there the less they're going to take away.
Re:Mandatory? (Score:5, Insightful)
Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.
So when you say:
Take questions.
You are wrong.
Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.
Re: (Score:3, Insightful)
I like the idea of asking questions. In the context of the speech the speaker might ask, "When was the last time you were in danger of having your personal information compromised?" He can then go on to offer a couple of examples that illustrate his point of how wide spread the problem is.
Re: (Score:3, Insightful)
Another good question: Who has ever sent and email that they wouldn't want a third party reading?
Re: (Score:2)
Sounds like a good idea to help engage people.
But seriously, "Take questions. You are wrong." Perhaps that was a little strongly worded. I mean, it's hardly controversial to take questions at the end of a presentation.
Re: (Score:2, Interesting)
This is the worst possible advice. It's a presentation, not a seminar. There's nothing more annoying than some blowhard trying desparately to get the audience involved. Present what needs to be presented and be receptive to questions if, when, and as they come. But don't block by trying to dig for responses.
Re: (Score:2)
I would agree. However, I don't agree that these topics can't be worked in, or better, tied in.
How is a social networking site different than hanging out in a bar with your friends? There are risks in both places, but there are similarieties that can be drawn between the risks. Analogy can be drawn between phishing attacks arranged through Social networking sites and ATM skimming.
How do you protect yourself? Similarities there too: Pay attention. Be skeptical. Still, it might not be enough, true in both cas
Re: (Score:2, Insightful)
Boobs. No really. Find a ton of pictures of chicks that they posted and regretted.
Put under it: "Do you want this to be your personal data." On the next slide: "Once it's on the internet. It'll never be off the internet."
Maybe separate presentations based on gender/sexual orientation.
1) Everyone will be captivated.
2) It'll make the point rather clear.
Re:Mandatory? (Score:5, Funny)
3) you will be fired.
Re:Mandatory? (Score:4, Funny)
4) Profit!!!!
Re: (Score:3, Insightful)
The idea for a company security presentation is the opposite of that
4) Loss!.
On a company presentation keep it very straightforward and simply. Advise them of the security problem, highlight the problems it causes and detail to consequences for the employee for failing to adhere to security protocols. Put it in writing, get each employ to pick it up and sign to confirm they acknowledge it's contents and are aware of the consequences, 4) Loss! - it will cost the company money and likely cost the employe
Re:Mandatory? (Score:5, Informative)
Good idea, but you'd have to dial it back a notch for most corporations.
Try these:
MI6 head outed on facebook by his wife, with many details. Viewable by all of the "London" network.
http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html [mailonsunday.co.uk]
Bank intern fired for lying about a family emergency, then pasting party pics of him dressed up as a fairy on facebook:
http://valleywag.gawker.com/tech/your-privacy-is-an-illusion/bank-intern-busted-by-facebook-321802.php [gawker.com]
Another example of being fired for putting dumb stuff on facebook:
http://www.liquidmatrix.org/blog/2009/08/13/social-networking-fail-fail-fail/ [liquidmatrix.org]
Plenty of fail, Safe for work.
Re: (Score:2)
That first case is just yet another example of how much we truly are at the mercy of random assholes hell bent on making trouble for us.
Even if we are perfectly careful and take every precaution, preserving privacy on the internet is a lost cause if someone somewhere wants to expose you.
Case in point:
A friend of mine recently blew one of my aliases and emailed everyone he knew about it, instantly exposing me to ridicule and shame.
Another case in point:
The blogger who got sued and then left alone once she wa
Re: (Score:2)
Separate presentations based on gender (and sexual orientation)?! This isn't 5th grade sex ed. Not only is it insulting for a bunch of adults to be treated that way, it's probably grounds for a gender discrimination and/or sexual harassment suit. In the workplace "separate but equal" is only permitted with toilets.
Re: (Score:2)
Re:Mandatory? (Score:5, Insightful)
>>>every seconds of unnecessary content will make them despise you more.
I love mandatory meetings.
It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!
Re: (Score:3, Insightful)
I really hate doing nothing at work; I'd rather do my job.
Re: (Score:2)
Even better! I get $75 for every hour of overtime, so the more time spent in meetings the more money I get. Last Christmas, due to a rather stupid promise by management to the U.S. government, I had to rush to finish a project in just one week. I worked 80 hours and earned $5000.
Re: (Score:3, Informative)
If you want to point out other security issues, work them into the main topic. "The messages you post on MyFace aren't private... just like your e-mail isn't really private." "Stupid crap that you see advertised on Spacebook can contain viruses... just like random web sites can." "A site that tricks you into thinking it's Twitster can steal your login info... just like a fake ATM can." Etc. That way it's reinforcing the underlying principles, and not looking like an afterthought.
Re: (Score:3, Informative)
Good advice I've gotten for a presentation:
1) Have a point. What is the goal of your presentation? e.g., "I want everyone to walk out of the room knowing that..." try to keep this relatively short, like 3 major, related points. Then focus everything in your presentation around getting across those points. Depending on the type of presentation, I may work the points in to the introduction and the conclusion; but they have to be there implicitly, otherwise your talk will likely just be a bunch of random
Re: (Score:2)
Make it funny (Score:2, Informative)
You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.
that and tell them to be paranoid "if it seems dodgy, it probably is!"
Can't hear you (Score:3, Insightful)
Too busy leaking private info on my crackberry.
krsmav (Score:5, Insightful)
Secure Your Presentation PC/software (Score:5, Funny)
Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.
Re: (Score:2)
Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.
...but great for getting the audience's attention. Between the "Oooh, Pwnies" commenters, "Hahaha, Boobies" leerers and "Help, I'm being harrassed" brigade (and yes, I expect there will be representatives of all genders and orientations in all three groups if the audience is large enough), it'll *definitely* be *noticed*. Possibly career-limiting, but *definitely* noticed.
Re: (Score:3, Insightful)
mandatory attention (Score:2, Insightful)
Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.
One line (Score:5, Funny)
Using social networks in the job? (Score:4, Insightful)
on the security and privacy concerns relating to social networking
I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites? /. at work
Note to myself: don't use
Re: (Score:3, Insightful)
Maybe they treat their employees like adults and allow them to take breaks at times. Installing an internet filter is almost demeaning. It's kind of like drug testing, in fact. Companies that pull this shit don't believe in evaluating employees based on performance--instead, they really, really want you to follow the rules.
Re: (Score:3, Interesting)
I agree with you to some extent. The place I work is small (somewhere in the 80-100 desktop/laptop range) and did not have any security/internet policies in place whatsoever. We are a subsidiary of a much larger foreign company and they asked us to draft something up. The job fell to me. I considered internet filtering and decided that we should block sites that could possibly cause liability issues for the company. My list? Porn sites, for a few reasons. I figure if someone sees there is the possibil
Re: (Score:2)
Sure you can block the handful of ones that you know about. But if that's all you rely on be prepared for it it to become a game of whack-a-mole, as the number of sites is growing. Do you really want to have to police this? Or would you rather put out a clearly defined policy, show the users you trust them to behave instead of treating them like inmates, and hammer the few folks that are too dense to follow the policy?
Ever heard of "working from home"? (Score:2)
"are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?"
You can't block access to these sites for employees that work out of the office.
If the wifi signal from the coffeehouse next door is leaking through your walls, you can't even block access to employees in the office, unless you firewall inside every box, lock down every box, and forbid employees from using their own gear on the premises. Good luck with that.
Unless mind-control tec
IT people get security wrong (Score:5, Insightful)
Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.
I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.
IT needs to be responsive to user needs for security to work right in an organization.
Re:IT people get security wrong (Score:4, Informative)
How true! IT people seem to think that if you can make security tighter, you must, even where it doesn't make a difference. I once worked at a company where IT had set things up so that you had to log into three different databases to get your work done. Each one required a different ten-character password with at least one uppercase letter, one digit and one punctuation mark, and they all expired after thirty days. Sound good? What would you say if I told you that all three databases were on the local intranet and not accessible from outside of the firewall? There was no telecommuting, so you had to be on-site to reach the servers in question. The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.
Re: (Score:3, Interesting)
>>>The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.
Yeah there is.
- "Hello IT."
- "Yes I forgot my password." (i.e. lie)
- "Again? You forgot your password last week too!"
- "Yeah I know but I use three different servers, and your policy makes me have to reset my password about every 10 days. I can't possibly remember all of them when the word keeps changing all the time."
After a couple times of these ca
Re:IT people get security wrong (Score:5, Insightful)
It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.
Re:IT people get security wrong (Score:5, Funny)
and they expire the account if you don't log in every 30 days. Which you don't if you did it right the first time. Which happened to me yesterday. And cost us 9 hrs of customer visible downtime until the drone in distributed systems management could reset the account. Who was out on a dental appt. Whose backup didn't have a login on the system. Because of an expired account. No shit.
But I rant...
Re: (Score:2)
Our IT would handle this in two ways:
1. Take a variable amount of time and then change the password for you. Continue to do it. Over and over and over and over. Act clueless when ask why they don't just fix the underlying problem. You can login now, what are you complaining about?
or
2. Ignore you.
You can't get your work done? Stop forgetting your password or we'll hire someone with a better memory.
Re: (Score:2)
What a load of crap. In instance number 1. support is not doing their job...
Yeah. Tell me about it.
in instance number 2. your suggesting that a support bitch, or even their manager has control over the hiring process?
No, a guy's manager has control of hiring and bonuses, not "support"? What good is a guy who can't get his work done? What good is a guy who always has one excuse or another why he didn't get his work done?
We just worked around IT and complained. See above where I pointed out that users circumvent security that keeps them from getting their work done.
(Also, this very specific thing with the passwords didn't happen to us. But similar things did with similar IT responses.)
... The guys that aren't good enough to contibute in any meaningful way... their jobs is free up the the real IT talent to do their job.
After ho
Re:IT people get security wrong (Score:5, Insightful)
Alright, the zealot in me just has to step up.
The overwhelming majority of rank-and-file office workers don't even need Windows. Really. They don't.
They need email, web browsing, spreadsheets -- usually nothing particularly demanding -- IM, and not much else. In this day and age of online CRMs and such, most office workers could get away with little more than a browser.
Why are these people even using Windows?
Sure, there are always the accountants who have that Excel macro they wrote eight years ago that absolutely will not translate into Open Office. Fine. And you have those three guys who use specialised CAD software. Great. Those people can use Windows.
But the vast majority of the sales crew, administrative staff, and damn near everyone else, does not need Windows. Why are we pouring such huge amounts of money into this crap?
"But kitten! We have an application written thirty seven billion years ago that only works on IE!"
Great. You can either spend a bit now to rewrite it so it works on any platform, or you can continue to throw thousands of dollars and thousands of manhours, year after year, at the effort of keeping this thing propped up. When are you going to throw in the towel?
"But kitten! The retraining! My team only knows Windows!
No. Your team does not "know" Windows, any more than they "know" engines because they drive a car. They know, by pure memorization, that for email they should click this, for the shared network drive (which they probably call "the office drive") they click that, and for Word they click here. They know how to use a couple of applications but that is not OS-specific. The reality is, if you installed Ubuntu on every one of your sales team's computers, and told them "It's, like, the new Windows Longhorn!", they'd grouse about it for a day and get over it. Your "team" does not "know Winedows". You didn't train them in "Windows", you trained them to know your specific business applications, most of which are online and are therefore OS agnostic.
So you can either throw more and more money and manhours at keeping your staff on Windows because they "know" Windows, but curiously need to be told over and over how not to break Windows by downloading things, and lose hours of time because they effed-up Windows once again and had to wait for IT to re-image the machine...
sigh.
I know, yes, I know, there are always those few sitations where Windows is necessary. And some smartass always has to pipe up with "Well, in MY company we haev this GUY who has a Windows only APPLICATIOn and we couldn't SURVIVE..."
Spare me.
The truth is we -- as an IT professional collective -- throw so, so, so much money and time at keeping the Windows lusers safe. Trying to "educate" them, fruitlessly. Tracking licenses. Buying more upgrades. Making sure to roll out new "virus definitions". Admonishing users time and time and time and time again: "Stop downloading that. Don't install that. Quit forwarding that email. Don't click that for god's sake."
When is it time to stop treating the symptoms? Attack and remove the cause, which is Windows. If Windows is not exactly the cause, per se, it is certainly the enabler.
Please note: Using Linux (or any other OS) will not stop idiots from chattering about private company information in public. But that is a managerial problem, not a technical problem.
Note that using Linux will not stop your idiot employees from naming names on Facebook and Myspace and Diggwoot and Farkmeme. But that is a managerial problem, not a technical problem.
Using Linux WILL prevent your employees from contracting viruses that email random -- often confidential -- documents to random
Re: (Score:2)
not "invariably"
Our managers asked for security. I sincerely doubt they asked for specifically inconvenient security.
While you're at it.. (Score:5, Funny)
explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!
Farkin' lunch thieves...
Re: (Score:2)
Pick something poisonous but tasteless. Nothing lethal.
Make sandwich with substance.
Sit and wait.
Re: (Score:3, Funny)
And spend several years in jail for 3rd degree manslaughter. A wiser course is to use something harmless but effective, like laxative or Syrup of ipecac
"Hey John you've been disappearing a lot. Are you sick?"
"Yeah man... I threw up."
"Huh. Hey did you happen to see what happened to my sandwich? Some fool ate it. I'm glad I'm not him because it's a week old."
Re: (Score:2)
What part of 'nothing lethal' did you miss?
Just a poison that makes them sick, I'd consider syrup of ipecac a poison.
Re: (Score:2)
Re: (Score:3, Insightful)
Better yet, put a teaspoon of methylene blue in a 1- or 2-litre bottle of coke or pepsi.
Let suspect drink it.
Let them get all alarmed the next day because they're peeing green or purple.
Just a couple of drops in a glass does the job.
Re: (Score:2)
I CAN HAZ BACON? http://www.royalbaconsociety.com/blog/funny-bacon/i-can-haz-a-bacon/ [royalbaconsociety.com]
Advise them on corporate espionage... (Score:2, Funny)
Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:
Unexplained Affluence - they have more money than you would expect from their job/life.
Undue Interest - they show up in your department asking questions but have no work-related purpose.
Affiliation - they express low affiliation with the company, or high affiliation with other interests.
Work Issues - they are not happy with their work or feel that they have n
Don't forget "porn name" meme... (Score:3, Insightful)
Yes, I'm serious.. you forgot the biggest one.. the whole "porn name" meme.
You know these ones - they're very popular on social sites.. they ask you to post your mother's maiden name with the street you lived on, or your favourite pet with your first crush's last name, etc..
Think about the "lost password" questions most websites use... what do they ask?
Cutting off social networking? (Score:5, Insightful)
My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.
Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.
If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.
Re: (Score:2)
Puts already blocked all that. No complaints. Ya should be working not socializing anyway.
Re: (Score:2)
Henry Ford called, he wants his Scientific Management textbook back.
A happy employee is a productive employee. Modern management is about making employees feel valued and trusted. They do their job because they get satisfaction out of it, not because someone is behind them cracking the whip.
Banning social networking sites is the exact opposite of what you need to do. You should be encouraging your employees to have fun at work while showering praise on their work. Yes, saying "thank you for doing your j
Re: (Score:3, Insightful)
Don't blame Henry. He was part of the deal, but he was just doing what that fascist Taylor said to do. Taylorism needs to be obliterated.
Re: (Score:2)
Puts already blocked all that. No complaints. Ya should be working not socializing anyway.
Spoken like a fool that thinks working means talking to a machine and not to other human beings. You shouldn't be spending excessive time on personal communication BUT that does not mean you don't talk to people and social networks CAN be a good way to do it under the right set of circumstances. If you need to treat your employees like thieves that will take every opportunity to slack off you have MUCH bigger problems
Why would you call a meeting for that. (Score:2)
Brilliant. (Score:2)
I used to work for a Fortune 10 company. They did surveys to see where we could improve internally. When the results were released, management would create (or pay to have made) an 8 hour training session. At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.
They would solicit for people to help drive the training sessions
Re: (Score:2)
At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.
If you're going to have your time wasted, why care that it's the same 8 hour training session. In fact since you're getting nothing from it the consistency means you can slack off and still answer questions about the training. I'd say complain away.
Familiarity Breeds Contempt... (Score:2)
or at least mind-numbing forgetfulness.
Use of the Internet should generally be remembered to be nonsecure and suspect.
Lots of people will forget, because they are tired, pushed, harangued, or pissed off at their boss or coworkers.
Trying to instill constant vigilant attitudes will be REAL tough.
Maybe Browser pop-ups reminding employees of the latest intrusion or hazard of the day is not so bad as a reminder. (Please no bricks) If I was to design a popup, it would be a one liner with a link for more info. an
Back it up with a little detail helps. (Score:5, Interesting)
Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)
Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.
Really get their attention with some specifics like that.
Re:Back it up with a little detail helps. (Score:5, Insightful)
You really think that secretaries and accountants and HR reps, who are being forced to sit through a "don't put stupid shit on Facebook because it reflects badly on us" or "don't Twitter about company business or you'll get fired" presentation would understand or care about brute force ssh attacks?
Everyone is being told, "This discussion of social networking and how to protect yourself and the company is mandatory." Don't waste their time with things that they won't understand and are totally off-topic.
Re: (Score:2)
Of course they don't care. That's the point of making a presentation. Do it well, and you can make them interested enough to not be belligerent to policy. They can't know about the strangers in the ethers alway
Re: (Score:2)
I've shown people these kinds of logs in real time. It does get a message across, though it's not clear whether the effect lasted.
So to get a real improvement, show them those logs and then give them practical advice on using a good password management system.
Re: (Score:2)
Maybe ask permission [(presumably from management)]... hide the results, just show the usernames,
He might get sued for that.
Sued for what? I see no grounds here. The company can't sue if permission is given. The individual can't sue if the password isn't made known (and slander/libel only sticks if what's said/written is not true). The employee ought not be able to sue even if the password was made known, but that might start getting a little fuzzy (depending on the judge and local law).
I'd recommend writing a script that displays the actual name behind the account, and flags the account for a password change (or "usermod -L
STOP CLICKING RANDOM LINKS (Score:2)
Like the animal kingdom, if it looks interesting and has lots of bright colors, it is probably deadly. Stay away.
Don't post anything online that you wouldn't want your grandmother, pastor and organized criminals to see. Or, don't post anything that shows anything you wouldn't want your pre-teen daughter to be doing.
Terms of service change on a whim. There is no such thing as online privacy. The internet never forgets. Don't trust the delete key. Don't say in e-mail what you wouldn't be willing to say
Re: (Score:3, Insightful)
Don't use your internal password for anything external, like your hotmail account.
If you need to share your data with co-workers don't give them your password so they can log in and do it.
If in doubt, don't.
BCC (Score:3, Informative)
Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.
I can't count the number of people in or out of work that I've told to use BCC. They just don't get the concept. even after explaining it. If you have more than, let's say, about 5 address on an email, they really should all go in the BCC field. (Many emails with more than 2 should BCC as well. Depends on context.) If you put more than one address in the "To" field, you should stop and consider for a brief moment.
Sorry. End rant. (preaching... choir... yup...)
Supplemental materials (Score:2, Insightful)
KISS (Score:2, Informative)
Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.
Don't. (Score:2)
Nothing says Commitment to Quality like deciding that 40 minutes is the right length of time for an important lesson, then assigning someone else to creating the lesson content.
As others have noted, people are already going to be surly about a mandatory meeting. For those people who actually use social networks, they're going to be surly about whatever restrictions your company has decided on. You can buy a bit of forgiveness by letting them out early. It might seem like you're passing on a golden opp
If you (Score:3, Funny)
Will you share a copy of the presentation? (Score:2, Interesting)
What's the change in policy ? (Score:2, Interesting)
What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.
In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee
Get Security/Legal/HR buy in (Score:3, Insightful)
Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.
Will you tell them the truth? (Score:3, Interesting)
Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?
Not that it's happened to me - I'm just sayin'...
And another thing (Score:2)
Advice (Score:5, Interesting)
I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.
I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.
Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.
I hope this helps out a little. Good luck!
None And Then Some (Score:3, Interesting)
"If you had the attention of an entire company...."
I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.
The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.
In other words, don't just give it, use it.
KISS (Score:2)
Resist the temptation. It's always a bad idea. That's why you seldom get the opportunity.
Do not move data if you do not have to (Score:2)
Don't Give Advice (Score:5, Insightful)
If it's not *specific* company policy, then don't say a word.
1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.
I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.
Briefly... (Score:3, Interesting)
Put nothing on-line you wouldn't yell on a street corner.
the real threats (Score:2)
Golden Rule of the Internet (Score:2)
Presentation Tip (Score:3, Insightful)
Most people will remember only the first 2-3 minutes and the last 2-3 minutes. The 35 minutes in the middle will become a muddled blur. So make sure you put your most important tips at either end.
Be Skeptical. (Score:3, Insightful)
There's two kinds of people in the world: Carnies and Rubes. Carnies are the people that are skeptical and always looking for the angle. The rubes are the people who see everything at face value.
Privacy and security really aren't a lot more than trying to not be a rube. The carnies try to trick the rubes into giving away information, or taking over their computer by installing some piece of software. We all know about the "virus scanner" sites that pop up now and again. Tricker are the "open the file in this email and follow instructions" email.
Sadly, people aren't trained much beyond the level of "don't click on the wrong link!!" form of security. You're never going to be able to tell people all the latest scams, since there's a new one every day. The best you can do is try to get them to look for the angle. People will respond to this because they can relate to it (a friend of mine calls it "the down home cynicism".
Re: (Score:2)
Also, carnies have small hands and smell like cabbage.
RFC 2504 (Score:2, Informative)
The Most Important Security Information Possible: (Score:2)
The .GOV.UK approach (Score:3, Informative)
In the United Kingdom, the Cabinet Office published a short strategy paper on using Twitter. I found it to be quite good, and while it obviously is Twitter-centric, the ideas are applicable to a other social networking sites. The document can be downloaded from http://blogs.cabinetoffice.gov.uk/digitalengagement/post/2009/07/21/Template-Twitter-strategy-for-Government-Departments.aspx
Regards,
Aryeh Goretsky
Terrible idea (Score:5, Insightful)
People's time is very, very expensive - just because you've be alloted 40 minutes, doesn't mean you have to use it all up. Say what needs to be said, then stop... Having you rattling on about things you reckon are interesting and that you reckon they don't know about is extremely arrogant. Since it's almost certain that either you, or some other presentation in this "mandatory" session will run over time, why not just finish a few minutes early. THAT ALONE will make people remember your presentation:
Oh yeah, he was the guy who actually stopped talking when he'd said all that needed to be said. Jeez, I wish some of the others had done that - now I've wasted a whole afternoon listening to stuff I already knew or that doesn't affect me."
Re: (Score:3, Insightful)
Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.
Railing on Rails? (Score:2)
Many free websites, including social networking websites, use Ruby On Rails as a backend, which has been shown to facilitate the spread of viruses.
Link please. (not that I use Ruby)
If true, people deserve to know. If you're just spouting off libel (as AC), stop now. There is no true anonymity online. You'll run out of it sooner or later.
In other words: put up, or shut up.
According to Symantec, there has been skyrocketing rates of virus infections ever since websites like MySpace became popular.
This I'll believe (due to cross site scripting, etc). Many sites are guilty of such, but was this meant as a non-sequitur attack on Rails? (It sounds like it... despicable.)