Allow opening segment to play through and Protect IT message to play.Introduce yourself and let the group know that this is going to be informative and fun.(go to next slide)
Today we are going to talk about security awareness.By the end of this workshop you should each know what we mean by security awareness.You will understand what your responsibilities are as a Business employee.You will be familiar with many of the security issues or situations that you may face during your career here.And most importantly, you will know how to prevent situations or how to handle them if they do occur.Let's get started.(go to next screen)
Let's begin by explaining what we mean by the term 'security awareness'. Security awareness is the advantage of knowing what types of security issues and incidents our staff may face in the day to day routine of their corporate function.It is knowing what to do if you feel someone is attempting to:(click)- wrongfully take Business property or information (ask for possible examples) (stealing a computer)(click)- obtain personal information about our staff, clients, or vendors (ask for possible examples) (selling staff lists)(click)- utilize our information resources for illegal or unethical purposes (ask for possible examples) (surfing inappropriate web sites at work)(click)We will discuss these situations and many others and how to prevent them from occurring at Business.(go to next screen)
Let's talk about your responsibility when you work at Business.As an employee or contractor of the Business Corporation, it is your responsibility to help in the protection and proper use of our information and technology assets.We are counting on you.(go to next screen)
Obviously President Clinton needs to re-think his password strategy! Not only did he choose a weak password but he let other people see him enter it. This did not set a good example.One of the more important ways you can help with security awareness in our organization is by being a good example to others.Be a security ambassador by setting a good example.(go to next screen)
What exactly are \"Information and Technology Assets\"?Anything that we use to input, process, store, output or communicate information.(click)This includes items such as computers, fax machines, telephones, paper files, etc.(pause for screen to fill) (go to next screen)
Here are some of the common areas where you may encounter security issues or decisions.All of these have the potential to work their way into how we function as individuals or as an organization.Learning about these issues will provide you with the tool to combat them.... that tool is knowledge.So let's get started with our first topic...(go to next screen)
Your password is an important line of defense against unauthorized access to our information.They are often targeted because statistically, more than half of typical users have a weak password.Once logged in with your ID and password, that person has the same access to all the information that you do.Let's talk about ways to strengthen this line of defense.(go to next screen)
One of the best ways to start is by knowing the characteristics of a weak password.Names are one of the worst passwords you can use (optional humor) unless it's your fourth cousin once removed and their name is X98pf2u6sN. That would not be a bad password.(click)Personal information is a poor choice.(click)Words that are in the dictionary, no matter how complex, are also weak passwords.(click)and, numbers by themselves are terrible passwords.(pause) (go to next screen)
Now that we know the rules, let's have some fun applying them to make some strong yet creative and easy-to-remember passwords.The Vanity Plate method combines letters and numbers that make up words or parts of words in a phrase.(click)- Too late again, notice how the 'L' and the '8' make up the word 'late'.(click)- Music is for me, the word music is misspelled and the number 4 replaced the word 'for'(click)- Day after today, the word 'after' is slightly misspelled but still reads almost the same. Also,notice that upper and lower case letters are used in all three of these examples(go on to next slide)
Compound words that we see and use everyday can be converted to a practical password with a little manipulation.Start with a compound word like tunafish or sunshine and give it a little twist.(click)- Deadbolt(click)- Blackboard(click)- Seashore(go to next screen)
Phrases can lead to some pretty interesting passwords.Take the first letter of each word in a phrase. Make some upper case and some lower case and throw a number in somewhere. Like this...- Jack and Jill went up the hill to fetch a pail of water(go to next screen)
Protecting your password is just as important as creating a strong one.Even the best password is worthless if people other than you know it.They would have the same access as you, and it would look like you did whatever they did. If you ever suspect your password has been compromised, please change your password and contact the appropriate person immediately.(go to next screen)
Let's look at how we can protect our password...- Do not share your password with anyone(click)- Do not write down your password or store it in a computer file (may need to explain that some people keep all their passwords in a word processing or similar file)(click)- If anyone ever calls and asks you for a password, report it immediately(click)- When receiving technical assistance, enter your password yourself. If for some reason you have to give it to the tech staff, change it as soon as your problem is solved. This protects you and them.(go to next screen)
All computers,whether a notebook or a desktop, will benefit when the following easy steps are practiced.(click)- use a password-protected screen saver- configure a power-on password if available or permitted- always log out of host systems when you are finished - physically secure your computer with a locking cable or other security device.(go to next screen)
Computer thieves know the typical business traveler's routines. They know when and where you are vulnerable and they will be waiting for just these moments.Take a look at this list of common points of vulnerability.(pause)Let's talk about some of the specific situations.(go to next screen)
Never leave you computer bag unattendedIf you can't hold it securely while waiting for your plane or using a public phone, stand with one foot through the strap.(go to next screen)
Never check your computer as baggage.It may not be in the same condition when you get it back, or worse... you may not get it back at all.(go to next screen)
Make sure that the pathway through the metal detector is clear before you place your computer on the x-ray conveyor.A common technique for thieves is to stall you at the metal detector while an accomplice grabs your laptop on the other side.(go to next screen)
It is a common practice for computer thieves to frequent the local public transportation systems.Always hang on to your computer and avoid a decoy situation where one person will ask you for directions or assistance while a second makes off with your computer.Try to stay aware at all times.(go to next screen)
If you are staying in a hotel, carry your own computer to your room. In one real life case, a number of meeting attendees of a major U.S. company gave their computers and luggage to what they thought were bellmen. They never saw their computers again and their important meeting had to be delayed for weeks.(click)When leaving your hotel room for dinner or other activities, secure your laptop to an immobile fixture or large, heavy furniture.(click)Keep your hotel room door locked while you are in the room. Not only will this help keep your PC and belongings safe but it will help keep you safe as well.(go to next screen)
While any backup is better than not having one, there are a few easy things to remember that will help to ensure that you'll be able to recover data if necessary.(click)- perform a full backup. This will backup everything on your system.(click)- do not overwrite your most recent backup tape or other media(click)- whenever possible keep at least three cycled backups to prevent over writing a previous copy or in case your backup media goes bad. (click)- Frequency of backups should be appropriate for the importance of the data on your computer. You should make a backup of your data whenever the amount of data that is new since your last backup is more than you are willing to re-create.(go to next screen)
It is important that we protect our organization's information.Why? Let's take a look at some reasons...(click)- maintain customer confidence (prompt discussion of what this means and how this could be affected by a loss of information)(click)- maintain public image (prompt discussion of what this means and how this could be affected by a loss of information)(click)- remain competitive (prompt discussion of how we could lose in competitive situations if the wrong information were made public)(click)- protect ourselves and other employees (prompt discussion on how much personal information the organization has in its systems and also how well each of us knows some of our coworkers and their families)(go to next screen)
Confidential data can be accidentally disclosed in many different ways. These tips will help keep our information from falling into the wrong hands.(click)Don’t leave confidential documents unattended on the copier or fax machine.(click)Shred any confidential documents when discarding them.(click)Avoid e-mailing highly confidential documents through the Internet unless using encryption. Otherwise, consider using a courier.(click)Keep a “clean desk” by securing important files and items when leaving.(click)Remove papers and wipe boards clean when finished using conference rooms.(go to next slide)
Let's take a look at some of our typical situations.If you know you will be working late, park in a well lit area.(click)also, when you leave late at night, try to exit with other coworkers.(click)When entering the building or secure areas, do not let a stranger 'tailgate' in behind you. This means, unless you know the person or have seen him working here frequently, ask whom he is visiting and offer assistance.(click)Do not prop open doors to secure areas. This defeats the purpose of putting a lock on the door in the first place.(go to next screen)
(optional humor - start with...Despite what some of you might think,)Social engineering does not have anything to do with robots or cloning.A social engineer is a person that will deceive or con others into divulging information that they wouldn't normally share.(go to next screen)
(ask attendees)Can you spot an information thief in this group?(pause for a few seconds)(go to next slide)
Defending against a social engineering attempt is not easy. In fact, you usually won't know when it occurs until it is too late, if you ever realize it occurred at all.Let's take a look at what we can do....(click)If you receive a phone call from an unknown person asking for information that you're not sure should be shared...don't be afraid to ask some questions.(click)- Ask for the correct spelling of his name. If a false name was used, this may catch him off guard. (click)- Ask for a number where you can return the call. This will provide a traceable reference point.(click)- ask what the information will be used for. (click)- ask who has authorized this request and tell the caller that you will have to verify the approval before releasing the information. Be sure to follow-up and verify with the person referenced.(go to next screen)
If someone attempts this in person there are also some things that you can do.(click)- ask for some identification. If it is a legitimate request for the information he will be impressed at your due diligence.(click)- ask who has authorized this request and let the person know that you will have to verify the approval before releasing the information. Be sure to follow-up and verify with the party referenced.(click)- if you are not authorized to provide that information, offer to help locate the correct person.(click)- always seek assistance if you are unsure of the situation(go to next screen)
Remember the case we mentioned a while ago where female employees sued for receiving inappropriate e-mail from coworkers?That situation should have never happened.Those types of messages are unacceptable and a threat to the level of comfort you should expect in our work place.(go to next screen)
Spam is basically unsolicited and usually unwanted e-mail that you may receive. It is usually a form of advertisement for anything from get-rich-quick schemes to pornography sites on the internet.Just delete it. If it is a really persistent problem contact our technology group to block the originating address and notify the originating ISP.(go to next screen)
E-mail chain letters and hoaxes can affect an e-mail system and slow its performance if not curtailed quickly.These messages usually ask the receiver to forward it on to others. If you forward a message to ten people and they each do the same, and this cycle continues ten times, this would result in 10,000,000,000 (billion) messages.Most e-mail chain letters and hoaxes are nothing more than modern urban legends.Let's look at some examples...(go to next screen)
Read slide(go on to next screen)
So what do you do when you receive a chain letter or hoax? First, use sound judgement. If you're not immediately sure it is a hoax, examine it for clues. References to verifiable sources, ridiculous claims of riches, etc.If it seems to be a hoax just delete it. If you receive these types of message from coworkers, you might want to inform them of the harm they can cause to our organization.(go to next slide)
There is another very good reason to be careful where you go on the Internet. Anywhere you go and anything you do can usually be traced back to our network and ultimately to you.We could experience very negative publicity if a controversial site were able to publicly prove that one or more of our employees had surfed their web site from our network.(go to next slide)
If you sign-up or register with Internet sites or services external to our organization, it is important that you use an ID and password that is different from the one you use on our systems.This will prevent unscrupulous web site operators or their staff from being able to log into our systems.(go to next slide)
Here are some staggering statistics:- There are more than 50,000 viruses in existence.(click)- There are as many as 250 new ones being discovered each month.(click)- A wide-spread virus incident can easily cause in excess of $100,000 in damages to a single organization. (click)- Virus attacks cost over $15 billion in 2000.(click)- Research shows that computer viruses are getting more malicious in nature.Also, while most people realize that a virus can be responsible for data loss, what they often overlook is the potential for loss of customer confidence, loss of productivity, missed deadlines, increased stress, and other costs - both direct and indirect.(go to next slide)
Why do computer viruses spread so easily? Because many people do not take basic precautions. Here are the most common methods by which a system becomes infected with a computer virus.(click)- Files downloaded from the Internet. If you download programs from the Internet, make sure you know the source and follow the tips we will explain in a couple of minutes.(click)- E-mail messages and attachments. Some of the more creative and modern viruses are spread through the means of e-mail and attachments.(click)- Files shared from others or brought in from home computers. Many people do not utilize the same level of virus protection on their home machines as in the workplace.(click)- Shrink-wrapped commercial software. Yes, this just proves that absolutely no one is guaranteed to be safe from viruses. Not even software companies are immune.(go to next slide)
Viruses can definitely be a problem but defending against them depends on you incorporating some simple steps into your regular routine.(click)- Always use anti-virus software on your computer. Do not disable your anti-virus software. (click)- Keep your anti-virus software current. This is very important due to the amount of new viruses discovered each month. (click)- Scan all files downloaded from the Internet. (click)- Scan all e-mail attachments, even if you know the sender. They may not know that they have a virus. (click)- Scan diskettes and CDs before using them. Remember, even brand new packaged software has been known to contain viruses. (click)- Use anti-virus software on your home computer. (click)- If your computer ever does experience a virus attack, or your software detects a virus, do not panic. Most popular anti-virus packages can disinfect the majority of viruses in existence. Report the incident to the appropriate person as soon as possible.(go to next screen)
Freeware, it's pretty self-explanatory. It's free. The author has provided it, usually as-is and without guarantees, at no cost to the user. You are allowed to use it, copy it, and share it with others. Restrictions may be placed on activities that involve altering the software or using it as a component of other software.(click)Shareware is a little different. It is usually provided free of charge for either a trial time period or in a version that is limited in functionality. To receive a full or unlimited version you need to register the software at a modest cost.(go to next screen)
Commercial software is what is most prevalent in the corporate environment. It is usually a higher quality of software and may provide some type of warranty as to its usefulness. Commercial software may be licensed in many different ways.One installation per purchased copy (a retail license); A negotiated number of installations (a corporate license); orBy a site or enterprise license that allows installation on all computers within an organization.(go to next slide)
At the Business Corporation, we want you to abide by the rules and laws that govern the use of software. These words of advice will help you to do so.- Only obtain software through our approved methods.(click)- Install software in accordance with its license.(click)- Don't share software with others.(click)- Maintain receipts for purchased software.(click)- Do not install software from your home computer onto your work computer.(go to next screen)
Software is not the only area of protected material of which you need to be aware. Printed materials and web content are usually protected by copyright law. Be sure to credit the original author or other designated source when quoting directly from their work.(go to next slide)
The Internet can facilitate the violation of copyright laws because it is so easy to cut and paste and transmit information. Often, because web sites place their copyright notices on obscure pages within the site, a visitor does not know they are infringing on protected material.Always be sure to carefully check the source of any information you may want to use elsewhere.(go to next slide)
(click)- We need to protect Business IT assets.- Every employee must be aware of, understand and commit to act on any security situation quickly, appropriately and knowledgably- IT Security is everyone’s business- Areas taken up(go to the next slide)
Let's take a look at those quiz questions again and see how many answers we can get right on the second time around.We'll take a comparison poll and see how many of you improved your awareness today.