I was just reading through an article on Security Search called “Sophisticated spam, employee errors continue unabated” and remembered that I’d promised to do a post on the whole idea of Security Awareness. The comment in the above article that made me think of this was:
You could have the best practices in place … but we find in more cases than not that its human error, not machine error that causes the problems you see today
There was also another incident earlier this week – a local bank got hit hard by a phishing scam. This one was particularly subtle in that it (at least the email portion of it) didn’t have a link to click – it had a phone number to call. Computer professionals tell their co-workers not to ever click on links in emails – do we tell them not to ever call numbers sent to them by an email?
Wikipedia defines Security Awareness as:
knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization
You’ll notice that there is not much in the way of technology in that definition. Security awareness doesn’t deal with spam filters, network intrusion detector program or port scanning software – it deals with the education of the front-line, everyday users of our computer networks who have their own jobs to do and don’t have time to keep on top of every security blog, white paper and announcement mailing list out there. Our job, as computer professionals, is to keep on top of that stuff – and pass what we learn on to the people who use our networks. If we don’t, all of the high-tech scanners, detectors and filters won’t help us when one of our co-workers clicks a link, or calls a phone number, in an email and infects the system from the inside.
The general “themes” of security awareness are:
- nature and proper handling of sensitive materials
- proper methods for securing sensitive materials on a computer (password policy, authentication, etc.)
- other security concerns (phishing, malware, social engineering, etc.)
- physical security issues
- consequences of following proper security procedures
All of these – even the first two – are very applicable to libraries. We aren’t working in a big corporation with company secrets that can make or break next quarter’s profits – but we are in a position of trust with our patrons to make sure that the information they give us (names, addresses, books they have checked out, etc.) stays safe and outside the reach of anyone who doesn’t have a legitimate court order. We, however, are also in the somewhat unique position of having all of that confidential and sensitive material to keep to ourselves, while also being a place for people to go to get information and use computing resources that we have to make both available and make secure. All of this takes both attention to detail and flexibility from the folks responsible for a library’s network! It also takes education of the *entire* staff as to what all of the things listed above are. They need to be aware of what information we can and can’t give out about patrons and other staff members. They need to be aware of what a social engineering attack is and how to recognize one when they are being scammed. They need to understand that each and every one of them has the power to bring down the library’s network (including the ability to check out books, look up items in the catalog, etc.) by the decisions that they make. The responsibility for making sure they understand this? That part is up to the computer professionals, network administrators and even the computer-savvy staff who work in our organizations.
And after saying all of that, I’ll now pimp the latest project that my library, MRRL, has going. Bobbi and I will be doing a Library Learning 2.1 program that offers a blog posting a week on a particular application or topic that deals with – in some way – Web 2.0. I’m going to focus on posting a regular (maybe monthly, maybe every other month) treatise on some aspect of staying secure while playing with all of these nifty 2.0 toys – and this program is open to both the public and the staff! Any extra awareness about security-related topics is good, so I’m hoping that by making security issues part of this program, I can improve the security awareness of both the staff that use the internal network and the patrons that use our external network (PCC and wireless).