Though I've written about InfoSec for the past decade, I've still had my moments of shame. There was the time last year when I fell for one of the oldest social engineering tricks in the book, clicking the link on a direct Twitter message where someone I worked with asked if I'd seen the nasty post someone wrote about me. The co-worker's Twitter account had been hijacked and similar messages were sent to his contacts. The second I clicked the link, I knew I had just done something stupid.
It was a similar story a few years back when I clicked the link to a sci-fi site I received by email from someone masquerading as an old friend. Five-hundred pieces of malware downloaded onto my laptop that day, mainly the stuff that makes adware for pornography and pump-and-dump stock scams pop up all over the screen. I spent several hours cleaning up the mess, and the folks at the office had a good long laugh at my expense.
In both cases, I hadn't had security training at the companies that employed me, though as a writer of security stories I should have known better. In terms of company security awareness, we received security warnings when an attack was making the rounds, but never a lesson on basic best practices.
On my first day at Akamai, nearly an hour of orientation was dedicated to the subject. I had written about the importance of security training for employees many times over the years, but this was the first time I received it.
Security training in the business world isn't something you can do with a one-size-fits-all mindset. Different companies have different needs, and Akamai is no exception. We dealt with specifics I won't discuss here. But a lot of the directions were pretty basic and applicable in any company and industry.
--We are told it's fine to use the IM app of our choice to communicate with friends and family. But for any internal, work-related communications, we must use a separate, specific IM tool -- one that has added protection around it.
--We have a routine schedule of pushing out security patches for various programs, and we will occasionally see a box appear on screen asking us to press a button to install new updates. In the training session, it's made clear that we have to pay attention and heed the call to update when called upon.
--Our passwords have to be complex and ironclad. To make sure it is, Akamai has an automated program that tries to crack employee passwords every 24 hours. If yours is penetrated, you get a message telling you to come up with a new one.
--If you walk away from your desk, you must lock your screen. On my second day, I walked away with several applications running on my machine, and I returned to find a sticky note on the monitor that said, "Screen savers FTW." That was also the day I got my first cable-locking device.
--Speaking of sticky notes, another directive we get is to never leave around notes with our passwords and ID authentication questions written on them.
--There are physical security rules to heed as well. One is to never use something to keep a door hoisted open. No key card, no access.
There are many more details that go into our program, but those are good examples of the basics -- items other companies would benefit from adopting.
I'll have more to say on training and awareness in future posts.