Make security personal

A significant percentage of cybercrime is actually the fault of the very companies that want to protect themselves. Many companies make timid, awkward and ineffective attempts at teaching their staff about company security policies. This occurs because most corporate security policies are boring, unintelligible tomes. Ergo: No one pays attention to them.

What is the leading cause of cybercrime? Bad guys. How? They take advantage of Microsoft’s security holes. Why? Because they can.

That’s what many people believe. However, a significant percentage of cybercrime is actually the fault of the very companies that want to protect themselves. Many companies make timid, awkward and ineffective attempts at teaching their staff about company security policies. This occurs because most corporate security policies are boring, unintelligible tomes. Ergo: No one pays attention to them.

I spend a lot of time helping companies get their security message across to their employees. But I don’t know of one employee at any company who cares one iota that “our policy is designed to take maximum advantage of our internal IT skills, protect our operating environment and prosecute offenders to the maximum extent of the law.”

Instead, I’ve found that employees care – and listen – if you educate them about protecting themselves from cyberstalkers, their kids from predators and their families from fraud.

Consider the following, gleaned from a variety of authorities, including Gartner, Forrester Research and the Federal Trade Commission:

• Cybercrime costs the global economy $1.6 trillion annually. Six million children have been solicited online for sex in the past year. Which statistic is more important to working moms and dads?

• The indirect losses to a company from intellectual property theft are 10 times as great as the direct loss itself. Every minute 13.3 people have their identity stolen, each taking up to 600 hours and several years to repair. Which figure is more compelling to office workers?

• Eighty-nine percent of all companies have had their Web site hacked. At any one time, 1 million American women are being cyberstalked. Which statistic gets your attention?

• There are 42 million domains on the Internet. The annual U.S. revenue from pornography ($12 billion) is almost twice as big as the combined revenues of ABC, CBS and NBC ($6.2 billion). Which number makes you think twice?

Should workers care that viruses cost industry $55 billion in 2003 (double the amount in 2002) or that a computer virus/worm/spyware in their home computer can lead to instantaneous identity theft? Should we tell workers that the office is a porn-free zone, or that 2.8 billion pornography spam-mails are sent every day, and 80% of 15- to 17-year-olds have had multiple hard-core exposures? While conscientious workers care about how cybercrime affects their companies, they’re more concerned about how it might affect their families

It’s not that corporate users are stupid, lazy slugs who don’t give a rat’s patootie about security policy; it’s that the corporations are putting themselves and their financial interests first (“If we get hacked, we’ll lose money”) and their employees’ second (“There are 100,000 kiddie porn sites out there. Here is how to best protect your family.”). It’s that the typical, straitjacketed approach to security education is dull, uninspired and atavistic at best.

Give your users a chance. Teach them on their terms for once, not yours. Take a lesson from TV and films, and entertain. Most people learn about politics from “The West Wing,” and half the people in the country are now legal and forensics experts because of the “Law & Order” and “CSI” franchises. Use the same techniques to teach security. People are open to ideas presented to them through entertainment, and they are especially interested if it directly affects them.

Make security personal. If your staff learns the ins and outs of making their home computers secure and how to protect themselves from the ravages of the Internet, exploiting that knowledge for the benefit of your company’s security is much easier and more effective.