By Jonathan Yarden
Because of my experience, groups frequently ask me to be a guest speaker about security issues. In most cases, however, the majority of the audience is already painfully aware of the immense challenges presented by Internet and information security.
That means that many of my presentations amount to nothing more than "preaching to the choir" about current security issues. And while I enjoy participating, reminding people to click the Windows Update menu item in Internet Explorer each week isn't even a mildly interesting topic for most IT professionals, and neither is my suggestion to use free antivirus software.
I've said it before, and I'll say it again: The horrible state of Internet security is due to an epidemic of ignorance. But companies can't just sit back and accept this lack of knowledge. Let's look at some simple steps your organization can take to dispel this ignorance.
Ignorance is not bliss
One of the most prevalent problems with security is that most users are completely unaware of the risks of insecurity. And this problem will not fix itself.
It's a simple fact that most people who use a computer have little understanding of—nor are they interested in learning—the details of how their computer works. In fact, I would argue that the only times most people become interested about the operation of their computer system is when it stops working.
Developing end-user education opportunities in the corporate environment—and encouraging employees to attend them—is one way for companies to diminish computer illiteracy. Providing incentives for attending classes and for keeping a computer updated and virus-free are additional options to consider.
Helping those who help themselves
Those of us who are computer-savvy enough to install and update antivirus software and click Windows Update each week aren't doing enough to help ourselves. Even if they're not in an official support position, I bet the majority of readers have found themselves helping coworkers, family, and friends fix something on their computer or helping them recover from a virus or worm.
The old saying about teaching a man to fish has never been more valid. Helping one person and telling him or her to pass along the knowledge you shared does more in the long run to improve Internet security overall.
Consider setting up an informal mentoring program to encourage more computer-savvy employees to share their knowledge with their coworkers. Setting up a bulletin board for posting tips and hosting a lunchtime training session about security are also low-maintenance ways your organization can promote security awareness.
Focus on your users
We are all aware of the current security problems wreaking havoc. However, while IT pros often enjoy discussing the various security challenges, these conversations do nothing to educate the average user.
The average user uses Microsoft Windows, and Windows is where the battle against insecurity and ignorance needs to start. The sheer extent of the threat to the Internet from insecure computer systems using Windows justifies taking the time to educate as many people as possible about how to secure their systems.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.