DID you know that when Benjamin Franklin (under an assumed name) postulated his “An ounce of prevention is worth a pound of cure,” he was actually addressing fire safety? Yeah. You learn something new every day.
Well, the same holds very true for computing safety.
Today, we spend a ton of money on both prevention and cure, trying to fend off hackers, discovering vulnerabilities and cleaning malicious software from our systems. We deploy anti-virus, intrusion detection, firewalls, security incident and event management (SIEM), network access controls, multifactor authentication systems, and a whole other gamut of software and hardware — throwing technology at the problem.
Not to say that all of these are for naught, they are all very effective in what they set out to do but we tend to overlook the obviously easiest and cheapest way to either prevent a security incident from happening or at the very least make all these solutions more effective.
Making the people understand the danger, how and why it happens, and most especially what they can do in their own little way to help, should be first on the list of things to do for every organization. Why do you think International Standards in all their audit requirements always demands for it? As a matter of fact, if you want to get certified, say for example, Information Security Management Systems (ISMS) by the International Standards Organization on ISO27001, you have to show proof that you have a documented awareness program and that this is actually being communicated and had happened. Pictures of the session, discussion topics, attendance sheets, invitations, and email announcements should also be provided.
A perfect example worth replicating is the awareness campaign done with the Republic Act (RA) 10173 or the “Data Privacy Act of 2012” — where it is mandatory and part of the compliance requirement to have a data privacy awareness program. Not to mention that the leaders of the National Privacy Commission (NPC) was mandated and made responsible for informing the public of the new law. To which they have done an excellent job of it! Be it in TV, radio, print, events and even in movie houses before the start of the film.
The sad story is that because it is the easiest thing to do and possibly not the sexiest either, the act of creating and implementing an awareness program or campaign, much less the extent of coverage, is almost always the last to happen. I mean come on, awareness campaign versus intrusion detection system? No contest.
But what if your average computer user knew that scammers and fraudsters use tricks to hide their true identities by substituting similar letters and numbers to fool people i.e. bankoftheorient.com versus bankofthe0rient.com (See what they did there?).
That feeding on their sensibilities and interests actually causes them to open and/or download malicious files and documents. I vividly remember the first time I opened a malicious file with the subject “Anna Kournikova Pictures.”
That periodically saying “yes” to updates from their operating systems and anti-virus software (even though it would take 20 minutes to complete) could spell the difference between getting infected or not.
Point is, where not doing enough education to fully make our constituents aware of the dangers of today’s technology. Heck! We’re not even doing a good job on general health and safety (apologies to the minority that does a terrific job — yes, I saw your bird and swine flu posters before in the rest room — thank you for reminding me to wash my hands the “proper” way that was very creative!).
I also noticed that in the recently enacted/upgraded Access Devices and Regulations Act (RA 11449) and many other laws and regulations not necessarily related to information technology or security, there was a tendency to overlook the part of the need to educate the citizenry on what these are. The section on definition of terms does help but only to a certain degree. Being that the subject is very technical in nature, nothing beats a more “layman-ized” and focused discussion. You should take a page off the National Privacy Commission’s awareness playbook.
While there are several beliefs on how many times a message should be repeated in order for it to be remembered exists, (some say three, others the “rule of seven”), in a study Microsoft did in 2014, the software giant concluded that between six to 20 times of exposure were required for one to remember audio messages. Can you imagine how long it would take if this were only for reading? So, the laws, documents and all other lengthy materials could take what? A hundred? Perhaps even more?
To any organization aspiring to make any initiative, policy or standards to be well received by stakeholders and to make their efficacy even better, consider creating and implementing an awareness program first, along with the necessary allocation of material, financial, technical, and human resources needed to see it through.
For the government at all levels and areas of society, with all of its numerous polices, laws and regulations, make it a point to include and provide for resources and assign the responsible parties to provide for an effective awareness campaign, especially when it comes to very technical topics. It is still not too late. We know that “ignorance of the law excuses no one” — but at least give the citizenry a fighting chance.