Old school security awareness, a blast from the digital past (Cybersecurity Awareness Month, Day 17)

Why use an image of people being cyber-smart on their phones today, day 17 of Cybersecurity Awareness Month? Because it occurred to me this morning that I got into computer-related security awareness before the general public started using computers as phones (or phones as computers). 

In fact, this article is essentially a reprint of some basic computer security advice that first appeared in print nearly 30 years ago. (It lives on my old security book, a free PDF version of which available, in three parts, on this blog—the links are near the top right of the page you are now reading. I keep this available as an historical artifact because...well you know what they say about those who don't learn from history, they may decide to go back and read it some day). 

What follows, all the way to the last few lines of the article, was written way back in the first half of the 1990s:

You might be surprised to see people at the top of the personal computer security agenda. After all, we are talking high-tech problems here. However, security also is a people problem. Computers are a human invention, and if they don't work properly, it is humans who get hurt-sometimes financially, sometimes even physically.  

For the most part, the impediments to successful computing are human in nature, and not technical. If everybody woke up tomorrow thinking that it was wrong to mess with other people's information, then the next edition of this book would have fewer pages and sell less copies. Until this happens, the sad fact is that effective implementation of personal computer security requires you to take a dim view of human nature.  

Of course, it is not the purpose of this text to determine whether people are essentially good or evil. However, we can state categorically that human beings are, to varying degrees, devious, grasping, and downright rotten. To secure yourself and your organization against such character traits, you must be prepared to think like your adversary and realize that sometimes he or she is a miserable specimen (there are times when the expert in personal computer security is sorely tempted to agree with Sartre when he said "Hell is other people.")  

People might be your biggest risk, but they also are your best resource. Successful personal computer security depends upon good people more than anything else. If you have motivated, diligent, and careful people working with you, then a greater degree of security can be obtained and with less hassle. Without the cooperation of the people involved, even the most sophisticated security devices will fail. With cooperation, high levels of security can be obtained without recourse to expensive equipment. 

What is clear from experience is that both management and employees have security responsibilities. Working together, they can be very effective in protecting the company's computer resources. The British Government's 1993 Audit Commission report on computer abuse noted several areas of management responsibility:

• The chief executive and management board must be determined to instill an awareness of the importance of computer security and be prepared to act when breaches occur. 
• Line management in user departments must ensure that access to facilities complies with the organization's standards. 
• IT management must assist in defining cost-effective controls that protect the data that it is holding and processing on behalf of others. It should educate users in the need for controls over computerized data. 

The same report identifies one other key element within management: internal auditors. They have a responsibility "to test and advise on the adequacy of security and controls...bring to management's attention any shortcomings...and emphasize the risks of all forms of computer abuse." 

The following are six quick and relatively immediate steps that management can take to improve information security: 

Step 1. Post security rules. Write up a basic list of rules that users should follow to preserve security. Display them prominently. Issue a memo to each employee that states the same rules in a form that can be kept handy. Consider posting a copy of the rules on each personal computer. 

Step 2. Announce computer security enforcement. Let people know that compliance with the security rules will be checked and considered part of job performance.

Step 3. Announce computer security incentives. Let employees know that compliance will be rewarded. Remember that people who breach security have an incentive to do so, even if it is just boredom.

Step 4. Open a computer security hotline. Let people know where they can get advice on security issues and give anonymous tips about security violations or suspicious activity.

Step 5. Issue computer security alerts. These can highlight specific weaknesses that have come to management's attention and stress the ongoing need for vigilance in maintaining security. In some cases, you might want to issue alerts in response to news items involving security breaches, but beware of giving employees specific details.

Step 6. Appoint a computer security officer. This raises awareness of the issue and sends a clear message about the organization's commitment to security. You don't have to hire a new employee for this position, but you do need to back the person you appoint with the appropriate resources and authority.

These steps are just a starting point. They are not meant as a substitute for an in depth risk analysis, security policy promulgation, and implementation program (these items are covered in the next chapter). The idea is to make big strides towards raising security awareness without spending a whole lot of money or scheduling a lifetime's worth of meetings. While these steps might sound like token gestures, they nevertheless can be very effective. For more detailed discussion about the human factors in computer security, see chapter 14, which suggests ways to improve security through a variety of personnel management tactics. 

Here is a sample set of security rules:

ALWAYS: 

1. Back up important data files.

2. Use your access password.

3. Use screen saver and keyboard lock.

4. Label all media and lock them up.

5. Check the ID of outsiders using PCs.

6. Report suspicious activity.

7. Scan floppy disks for viruses.

8. Log off unattended workstations.

9. Protect keys and passwords.

10. Assume someone somewhere is interested in stealing, damaging, or destroying your data and equipment.

NEVER:

1. Use obvious passwords, such as your name.

2. Write down, or be seen entering, passwords.

3. Share or reveal passwords.

4. Use same password for different systems.

5. Boot a PC with a floppy disk in drive A.

6. Install unlicensed software

7. Make unauthorized copies of software.

8. Leave unprotected modems in answer mode.

9. Leave unlocked computers unattended.

10. Assume that nobody is interested in stealing, damaging, or destroying your data and equipment.

As you can see, that's quite a mix of the still relevant and the not-so-relevant, but it underlines the fact that educating people to exercise care and follow some basic rules when using computers has always be a thing, and in my opinion, a very important thing.

So remember: ALWAYS do you part, and NEVER forget to #BeCyberSmart.