back to article How to keep your flock of users secure: Let them know exactly who and where the wolves are

When it comes to getting your users up to speed with cyber-security, the best approach is to give it to them straight. Practicalities over jargon. Explain the consequences of not securing their stuff. Specific examples of threats are very persuasive, rather than simply insisting people enable a firewall and malware scanner, …

  1. jake Silver badge

    Sorry, Doctor Rader.

    That doesn't work. As soon as you mention the word "security", TheGreatUnwashed's brains go into overload and shutdown.

    The best you can do is install secure software, and keep it as up to date as possible. Anything that requires end-user intervention is a lost cause.

  2. Headley_Grange Silver badge

    No Comeback

    One reason that some organizations don't take security seriously might be that there's no sanction if they feck it up. GDPR covers misuse of personal data, but is weak on security. I recently opened an account with a company so I could buy something and they immediately sent me back my new account number and password in plain text. I contacted the ICO who just referred me to their manual of best practice which points out that hashing is recommended. However, the ICO has no power to force companies to use hashing, or anything else.

    Introduce a mandatory security standard and criminal convictions for directors when they don't do it properly. Take seriously their "we value your personal data" statements by putting a monetary value on my personal data and allow me to sue for it and consequential damages when their systems are compromised. Then watch them rush to introduce nFA.

    The main problem with this is, as Jake points out above, the bloody user, who wants to keep the same password for all accounts to make life a bit easier.

    1. Charles 9 Silver badge

      Re: No Comeback

      The big big problem is that Joe Public has Other Things to Worry About, usually including things that can (outright) KILL them (such as work hazards). In the bigger pucture, Internet security doesn't register.

      1. jake Silver badge

        Re: No Comeback

        Oh, c'mon, Chuck. Joe Q. Public doesn't even think twice about things that will kill him ... Just watch him, as he lights a cigarette getting into his car at closing time after six pints, in search of his favorite Salt&FatSurprise at the all-night takeaway across town ... on bald tires and bad brakes in the rain with worn wipers, a broken headlight and/or dead tail lights ... Internet Security to these people is one more thing that's ignored as "too complicated". It's as simple as that.

        1. Anonymous Coward
          Anonymous Coward

          Re: No Comeback

          @Jake - my mum goes round the house every night before she goes to bed and turns off everything at the plug because she's terrified of the electric burning the house down. Her internet security consists of writing her passwords down in a little red memo book by the side of the mac with the passwords encoded by a cunning* technique of her own devising.

          *it's not that cunning.

    2. Anonymous Coward Silver badge
      Alert

      Re: No Comeback

      Allowing people to sue and/or fines won't achieve what you expect.

      It'll simply lead to a higher rate of companies being declared bankrupt.

      Big companies will undoubtedly set up a plethora of small companies that you 'actually' do business with so that they can be wound-up as needed.

      1. Headley_Grange Silver badge

        Re: No Comeback

        "Big companies will undoubtedly set up a plethora of small companies that you 'actually' do business with so that they can be wound-up as needed."

        Maybe - but it hasn't happened with GDPR. Some US websites are no longer viewable in the EU, but I haven't heard of anyone setting up corporate structure to evade GDPR - which doesn't mean it isn't happening , of course.

        1. Charles 9 Silver badge

          Re: No Comeback

          You just don't KNOW about them yet. They're either in progress or already well-hidden. Plus, if the cost to comply is more than what they'll get out of the EU, they could always pull up stakes and leave. That's always the risk with countries imposing regulations. They usually aren't as indispensable as they make themselves out to be, and few things sharpen a country's focus like a threat to take their tax money elsewhere.

    3. Charlie Clark Silver badge

      Re: No Comeback

      GDPR isn't intended to cover security directly but it does by implication and extension. It is mainly concerned with what data is collected and who has access to it, which is where anonymisation and encryption come in. Wisely as a regulation it does not mandate particular technical approaches because these become outdated so quickly.

      1. jake Silver badge

        Re: No Comeback

        "Wisely as a regulation it does not mandate particular technical approaches because these become outdated so quickly."

        Since when did any official give a rat's ass about not mandating something "because it'll soon be outdated"? You've obviously not spent much time browsing odd&outdated legislation. There are some real doozies out there, if you just look.

        Gut feeling is that it wasn't mandated simply because they didn't know any technical approaches.

        1. Charlie Clark Silver badge

          Re: No Comeback

          In general, I'd agree with you, particularly anything based on the kind of kneejerk reactions that cause politicians to draft something.

          Through work I'm probably more familiar with GDPR than most, though this doesn't make me an expert. GDPR didn't start from scratch but was based on existing (largely pre-internet) legislation and data commissioners were actively consulted during its drafting. The European Commission takes a lot of (uninformed) stick for the regulations it drafts but they are often subsequently good enough to be adopted by others with minimal modifications. Hence, it's no coincidence that California's draft data privacy law is heavily based on GDPR.

  3. Will Godfrey Silver badge
    Unhappy

    It will never happen to me

    That is the biggest hurdle to overcome.

    1. Charlie Clark Silver badge

      Re: It will never happen to me

      That and, it won't happen to me today, as the warnings on cigarette packages demonstrate. Humans have innate problems with deferred rewards or punishments.

  4. 0laf Silver badge
    Unhappy

    I suspect that when cyber security comes up most people find it so boring that it's actually painful for them to think about. I find the same with financial advice. I understand it's important, I understand I need to know but it's so horrifically complex and dull that I have to put in a huge amount of effort to learn anything.

    I find people do want to know about security. They don't want to lose money, get in trouble at work or have the problems of fixing an infected computer but neither do they want to read dry text on the subject.

    They probably would like to be spoken to and told a few story to lead them the right way and ahve an opportunity to ask questions but they are unlikely to be released from their overworked desk slave jobs to do this. It'll always be done as elearning in their own time

    1. veti Silver badge

      Financial advice, I am convinced, is obfuscated on purpose. It's job security for the whole industry of financial planners and fund managers,none of whom are doing anything you couldn't easily do for yourself if only you could bring yourself to learn what it is.

      IT security is probably often in the same boat. It's really not that hard, but if users realise that, sysadmins will lose a portion of their power.

  5. Anonymous Coward
    Anonymous Coward

    Education through the medium of music.

    We'll be one happy neighbourhood

    Spread out across the world

    Who's going to stop that burglar

    From breaking in my house

    If he lives that far away

  6. Primus Secundus Tertius Silver badge

    Ought to just work

    When we buy a car, we expect it to just work. Computers should be the same.

    Except that the modern car is an internet on wheels. I wonder what will force cars to become extinct: pseudoscientific anti-petrol climate change fearmongering, or awful in-car software designed by accountants.

    Nobody seems to check their work nowadays.

    1. jake Silver badge

      Re: Ought to just work

      No. A computer is a general purpose device that can be told (programmed) to cover many diverse tasks, singularly and in any combination. An automobile is a single purpose devise that exists only to transport a driver (and perhaps passengers) from point A to point B. As a result, there is far more to go wrong with a computer than with an automobile. Several orders of magnitude more.

      1. Charles 9 Silver badge

        Re: Ought to just work

        You mean from nigh-ANY point A to nigh-ANY point B. That makes it broader than you think, unlike say a train (fixed points versus arbitrary ones). Heck, depending on the vehicle, it need not drive on a road. PLUS, it's a primarily-MECHANICAL implement, which usually means more chances for Murphy to strike (thus rust versus flash drives).

    2. Solarflare

      Re: Ought to just work

      pseudoscientific anti-petrol climate change fearmongering

      ...what?

  7. Anonymous Coward
    Anonymous Coward

    YOU ARE KIDDING, surely?

    Quote: "Letting netizens know how and who their data can be collected by will make them more engaged..."

    YOU ARE KIDDING, surely? We've had Edward Snowden, umpteen Facebook scandals, umpteen Google scandals, umpteen Amazon Alexa sandals, umpteen retail scandals (TJMAXX, Equifax, etc etc).....

    .....and no one out there gives a flying f*ck about any of that.

    All that matters is "convenience", ease of use, "friends" only a click away............

    Privacy, security......someone else's problem!

    1. Charles 9 Silver badge

      Re: YOU ARE KIDDING, surely?

      Put mildly, unless lack of security KILLS someone (or raises that specter by say putting an entire nation under immediate existential threat), no one's going to really pay attention. Think about car safety features and when people really started paying attention to them.

    2. Throatwarbler Mangrove Silver badge
      Holmes

      Re: YOU ARE KIDDING, surely?

      None of what you mention has had any practical effect on most people. Go ahead, point to one, single concrete effect on large numbers of people. A theoretical loss of privacy does not, in itself, count, since it doesn't have a noticeable effect on most people's day to day existence. Having your bank account pillaged does, having your identity stolen does; Facebook knowing what you ate for breakfast does not, for most people.

      You can call them stupid all you like, but it's possible that their priorities are just different from yours.

  8. Reeder

    So how do we secure our...home network, phone (any), personal details....?

    My biggest complaint is about home network security....I see tons of articles stating that home users should secure their home networks, secure their IoT devices, set up their TVs on separate networks...I could go on but you get the idea....And nowhere is there an easy guide on how to do it. I perform google searches on these terms and either the search returns generic, high level statements or someone ranting on about how one way is better than another, but still is few details.

    Eyes glaze over when you talk about details...I like the one comment - when you buy a car you expect it to work... You have a key to start it, you have a lock to lock it.You put in gas (and oil) to make it go.

    I've seen home networks set up by supposed experts at big brand stores who have actually changed WPA2 AES security to WPS because it was "easier for the user". Threat vectors, firewall rules, separate networks, VPNs, SSID, DHCP all sound great but few home users know what to actually do to implement security for those terms. The best example I have come across was a neighbor who proudly told me he had purchased a router through his ISP and the customer support/service rep who had enabled the firewall on the device. He asked me to check the settings. The product rules were set to "allow all" with a SSID broadcasting the customer's name and with PING, Telnet, SSH, UPnP enabled, and remote access enabled for the ISP.

    1. Charles 9 Silver badge

      Re: So how do we secure our...home network, phone (any), personal details....?

      Well, nigh all the points make sense, but the SSID broadcast is the lesser of two evils. Hidden SSIDs can usually be gleaned from scanning the client devices in their power-up phases (when they're seeking SSIDs--known issue).

  9. bladerunnerblues@gmail.com

    How to talk security

    I give a quarterly security talk to all our employees. Get them all in a room and feed them breakfast.

    Every time it's a hit, people are interested and engaged. Do what the article says, use real world examples, preferably in-house scenarios. Keep the jargon down and explain when you do use it. You're not there to show how much you know, baffle them with bullshit and scare them. Empower your audience by showing examples of what they can do to protect themselves. Keep it focused and entertaining.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019