The other day I read a tweet that linked to an article on the blog called Tales of Ordinary Madness. The article was entitled ” Stupid Information Security People“. This article talked about how we shouldn’t be blaming the users when a security incident happens, instead we should be blaming ourselves for not educating them.
After reading the article a few times I have to say that I agree.
As security professionals what are we doing to educate our users on the latest threats? I know that past and present companies that I have worked for seem to just assume that we all know the latest threats and how to protect ourselves from them. I think this is a rather poor assumption and you know what happens when you assume things. If you don’t educate your users how do you expect them to help protect your network? Throughout my classes my professors have always said that you can have the best security measures in places, but if your users don’t understand how they work, then what good are they.
I think as professionals we owe it to our users to educate them. How hard is it to set aside a few hours a month or every six months or even every year to discuss the latest threats that are out there and what we can do to protect ourselves and the network. Topics for discussion should or could include social engineering, XSS and phishing scams. Having this discussion would at least make them aware and give them a sense that they too can contribute in helping to protect the company’s network and the valuable assets that are behind it. Like the article said “they are our front line, they are our border guards. Without their participation and involvement in securing our environment, we can’t ever hope to be successful” (Stupid Information Security People).
As always let me know your thoughts
Teodorski, Chris. Tales of Ordinary Madness. Stupid Information Security People