Today, 22 May I listened to an ISSA webex with Ira Winkler as one of the presenters. The presentation was concerning the human element involved in organization's security woes. Mr. Winkler's main point was for IT security personnel not to "assume" that the normal company computer user thinks like IT security personnel. He often hears comments like "our employees know not to do such and such or they would never do anything that stupid". Mr. Winkler knows from experience that that assumption may not be correct and says that kind of comment "assumes"a certain knowledge base that the normal user may not have. Mr. Winkler said that while prevention is important, that "detection" is most important. He went on to explain that IT security should teach the normal user how to "detect" negative events and what to do if they detect such an event. He said that would include the normal user first detecting the negative event (such as correctly identifying a phishing scam), taking action to stop the negative event (such as not clicking on a malicious link to a phishing scam) and then reporting that to IT security. He also stated that it was wrong for anyone to assume that they would not be a target of an attack just because they are not a "big fish". Mr. Winkler warns IT security personnel against making false assumptions of other groups of persons based on their own knowledge base. He points out that other groups do not have same level of knowledge nor is their perception of IT security problems the same. Mr. Winkler advocates above all the use of common sense. Mr. Winkler also advocated using a one-time password for access security and advocates using technology as much as possible to assist common sense in helping to secure organizations systems.
No comments:
Post a Comment