Increasing Internet security for average users

The long view of security strategies for your network.

Getting users involved in protecting their home systems and those of their families and friends is good for everyone. In that connection, my friend and colleague in the MSIA Program at Norwich University, Adjunct Professor Kip Boyle, wrote to me recently about his new blog and I invited him to share his news with readers of this column. What follows is entirely Kip’s own work with minor edits.

* * *

One day, while working hard as the chief information security officer at an insurance company, I realized that much of our organization's network security was in the hands of ordinary users of our computers. No matter how much my team did to safeguard our customers' confidential data, no matter how much money we spent on our mission, all it would take was one average Internet-using employee to cause major damage, either deliberately or accidentally.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Getting users involved in protecting their home systems and those of their families and friends is good for everyone. In that connection, my friend and colleague in the MSIA Program at Norwich University, Adjunct Professor Kip Boyle, wrote to me recently about his new blog and I invited him to share his news with readers of this column. What follows is entirely Kip’s own work with minor edits.

* * *

One day, while working hard as the chief information security officer at an insurance company, I realized that much of our organization's network security was in the hands of ordinary users of our computers. No matter how much my team did to safeguard our customers' confidential data, no matter how much money we spent on our mission, all it would take was one average Internet-using employee to cause major damage, either deliberately or accidentally.

That unhappy thought got me thinking about all the friends and family who have ever asked me to figure out why their computers were so slow or just misbehaving. I thought about all the electronic crud I typically find when I get my hands on their machines. I remembered how it is often impossible to undo the digital damage, which forces a frantic search for software license keys and a reformat of their hard drives. And as for backups, forget it!

In a recent struggle with his malfunctioning computer, one of my friends even spent $40 trying to buy antivirus software from a browser pop-up window. Surely, such an official looking window could be trusted to deliver some relief? A few minutes later, all he had to show for his effort was a compromised credit card along with more embarrassment and frustration. (For a summary of the fake anti-malware threat, see an article published in December 2008 on ProSecurityZone)

As the shocked amateurs receive their reformatted systems, I hear the same questions: How did this happen? Where did I go wrong? How can I keep this from happening again? Did anything bad happen to my bank accounts? My friends and family feel vulnerable, embarrassed and mystified.

My team spends time and effort educating our work force and protecting them with many sophisticated and expensive defenses that are usually invisible to them. My organization is meeting its due care obligation but it is difficult for employees to fully understand and internalize the Internet security issues facing all of us. How can they manage to cope with the range of threats when they do not understand technology well, have no immediate economic incentives, and neither see nor understand all that is done by my team on their behalf?

Indeed, the problem is global. A recent study by (ISC)2 and Infosec Europe 2009 summarized by Warwick Ashford in ComputerWeekly on April 17 reported that “Half of UK security managers are concerned about end-users' lack of security awareness, a survey has revealed. In a poll of more than 700 security professionals, the biggest concerns were a lack of training (48%), an unsupportive company culture (48%), poor employee understanding of policy (46%) and a lack of defined accountability (42%).”

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.