1st Day Of School; Another Example That Everyone Needs Ongoing Security and Privacy Awareness Communications
I've talked several times on this blog about my sons, and how they've really resonated with the information security and privacy discussions and information I've given them. They notice privacy risks and security problems when we're out in stores or traveling. They point out problems on the Internet. They won't let me watch their fingers when they enter their passwords on their membership sites so I won't discover their passwords...even though they know my parent account has access to change them. :)
So, I've been feeling pretty good about how aware they are of information security and privacy issues, and how we have great talks about the various issues on an ongoing basis. During summer break the talk was primarily around social networking sites, online bullying, and how sites "trick you" into giving personal information.
Last week, Thursday, was the first day of school for them. When they got home I enjoyed asking them all about their day. They said it was great to see the teachers, see their friends, make friends with new kids in the class, talk about summer activities, including who also used Internet sites.
"Joe [name changed for obvious reasons] doesn't have an account on the [kid's social network] site...his parents won't let him have one. So I gave him my site ID and password so he could use it," Heath, my 8-year-old, said.
"What!? You gave him your ID and password!?"
"Yes, but Noah gave his ID and password to John [again, not the real name]!" Heath quickly replied.
"What!?"
Both Noah and Heath had looks on their faces like deer caught in headlights.
"But John's parents won't pay for him to have an account," Noah explained.
It took me less than 5 minutes to get the passwords for Noah's and Heath's site IDs changed. While we were at it we talked about what made good passwords, and also discussed the many different ways in which others could do bad things, even accidentally, with their accounts.
This provides a very good example of why everyone, even those we consider very well security-aware, must receive ongoing and various types of information security and privacy awareness messages and communications. It is easy for someone who is otherwise very cautious to slip without realizing it and do something to put their information, or even themselves, at danger.
As I thought about this I wondered, would this be considered a type of social engineering incident? I've decided that, no, it really is not.
These incidents really occurred as a result of vulnerabilities involved with social psychology. In this case pro-social behavior. Noah and Heath simply wanted their friends to be able to experience something fun like they did. I determined through my talks with them that their friends did not try to coerce them into giving them their login information, and, in fact, their friends didn't even ask for them. Noah and Heath took it upon themselves to offer the information to their friends simply because they wanted their friends to have the same fun that they were having.
Most humans, well kind humans anyway, at all ages have this same tendency to want to help others; very generally they have pro-social behavior.
Most, if not all, of your personnel have this same vulnerability through their goodwill...to do for others. Sometimes that could involve putting your business information at risk, or even the employee's personal information at risk, with the intent of just trying to do something nice.
This is just one more of very many compelling examples and reasons for providing ongoing information security and privacy awareness communications to your personnel.
Just because your personnel may be very security and privacy minded, they still need to hear ongoing messages, on the full ranges of topics and issues, to keep security and privacy in the forefront of their minds whenever they are dealing with your company's systems, confidential and personally identifiable information (PII) and making decisions for how to use them.
Remember..."Even the best fall down sometimes." (Also in the lyrics in a pretty song by Howie Day that popped into my mind as I was writing this... :)
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
This scenario shows that precautions a security expert might find elementary might not be as obvious to the average user.
By the way, I think it's great that you're teaching your children about security practices at a young age. It will be interesting to see how the next generation handles data security issues.
Posted by: mila | August 27, 2007 2:01 PM
Thank you, Mila!
Yes, I hope that my sons will learn to make security and privacy a part of their everyday lives, no matter what profession they go into.
BTW, the new awareness resource I'm launching next month will not only speak to employees, but all members of employee families. I want to do everything I can to help people instill these security and privacy values within their children. My hope is to have information security and privacy be almost second nature to our next generation of workers, and have them not even consider leaving out or ignoring security and privacy within their work activities.
Posted by: Rebecca | August 29, 2007 7:15 PM