When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots between concepts and practices. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and entertaining. When you make your lessons entertaining, you can improve the amount of knowledge your employees retain, it’s just that simple.
With that in mind, let’s take a look at one lesson which won’t fail to entertain and inform your end users. Here are five lessons about IT Security we can learn from everyone’s favorite jaundiced TV family: The Simpsons.
Quote One: “Me fail English? That’s unpossible!” – Lisa on Ice (Simpsons S6E8)
Lesson in IT security: No-one, and nothing is infallible.
No matter how adept your computer security skills are, there will always be things which catch you unaware. Viruses, malware, and social engineering are continually being refined, and as such their potency is always greater than ever before. You may speak IT as your native language, but that doesn’t mean failure is unpossible.
Malware in the wild is only half of the equation, because Shadow IT also falls under this lesson. Most of the time, when you encounter an instance of Shadow IT, it’s just a user with the best of intentions. It could be a worker trying to improve their productivity, or a “tech savvy” user “improving” the security of their system. Unfortunately there is a strong correlation between Shadow IT and malware, and, while correlation doesn’t necessitate causation, in the world of IT security there’s usually a fire if you smell smoke. No-one is infallible, and when non-IT staff are free to install apps of their own volition, the risks become compounded.
Quote Two: “You tried your best and you failed miserably. The lesson is: never try.” – Burns’ Heir (Simpsons S5E18)
Lesson in IT security: IT Security is about risk mitigation, not risk elimination.
Let me say that again, IT security is about mitigation, not elimination. This quote is a solid example of the inverse of the rule, which is what many people believe. I’ve heard numerous end-users tell me that they “don’t bother running any of those anti-virus programs”, because they “used to pay for one and they got a virus anyways.”
“Anti-virus” programs, which are more accurately named “anti-malware” programs, are not infallible. The same goes for firewalls, any form of authentication, or any other IT security related product in existence. The only absolute in IT security is the absolute possibility of risk. That doesn’t mean the products do not work, in fact many are extremely effective at mitigating the risk of various attack angles, it’s just that there’s no such thing as a “silver-bullet product” which is capable of eliminating risk.
Quote Three: “Don’t worry, head. The computer will do our thinking now.” – The Computer Wore Menace Shoes (Simpsons S12E6)
Lesson in IT security: Having strong security practices does not mean that you can stop thinking about IT security.
A lot of professionals feel that automation can handle everything, including the security of their IT infrastructure. Unfortunately, that’s only a half-truth. Automation is a glorious tool for the IT professional. Mundane and advanced tasks can be automated so as to execute with more efficiency than ever before. Never again will driver updates be so strenuous a task. Unfortunately, maintaining security is less of a science, and more of an art form, and as such the human element is always critical.
Consider Cryptolocker, which has recently been seen distributing itself under the guise of a fax notification email. Short of sandboxing every internet browser across your entire network, there’s not a lot you can automate to stop this threat. If you pay attention to various security forums though, then you may have found people who had recently encountered that variant. With human intervention, you could then set up an email filter for any emails including the word “fax”, and inform your staff of the risk and how to avoid infection. When that level of automation is possible you can let the computer do your thinking, until that time though, you can’t simply assume your systems will be able to handle everything.
Quote Four: “They have the Internet on computers, now?” – Das Bus (Simpsons S9E14)
Lesson in IT security: Keeping your intranet internal and your DMZ demilitarized are no longer easy tasks.
Yes Homer, they have the internet on computers now. To be more accurate, they have the internet on everything now. Back in the day, keeping users off of unsecured connections was as easy as telling them that being caught with a personal modem in the office was a termination-worthy offense; however, with the prevalence of cell-phones and other portable devices, a far greater risk than the 2400 baud modem of yore lies in every employees pockets.
What this means is that endpoint security and security awareness training are more critical than ever before. You can’t always trust your users, but you can teach them to not trust themselves. That may sound like a candidate for “most depressing speech ever given to new employees”, but if they’re aware of the risk each of them poses to the security of your network, they may hesitate before using their smartphone to send out that confidential business information in the future.
Quote Five: “Cant someone else do it?” – Trash of the Titans (Simpsons S9E22)
Lesson in IT security: This final rule has an easy explanation. No, someone else cannot do it. IT security is everyone’s job.
This episode is one of the most memorable Simpsons episodes, and incidentally it’s also one of the most relevant lessons you can pass on to your users. How does garbage disposal tie in to IT security? Quite easily, just consider IT security like running a sanitation department.
Homer’s sanitation plan failed because of the inefficiency inherent in getting a third party to handle all of the jobs previously handled by the citizens. Why is it okay then, to have IT security be handled by a single department, or person? People take their garbage to the curb to decrease the work required of sanitation workers, it’s this collaboration that makes the process effective. It logically follows, that such collaboration would equally benefit an IT department. Minimize the work you place on your IT staff, if you bring them your security concerns, such as potential malware infections, rather than leave it to them to notice and/or figure out, then the entire process is streamlined. Work smarter and minimize the workload placed on IT’s shoulders, because, while someone else can do it, having someone else do it is extremely inefficient.
If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.
A properly implemented Single Sign-On solution can also drastically improve the efficiency of business.