OK, maybe that’s a little extreme but you get the point. First, I’m breaking one of my cardinal rules and blogging about something that is a “hot topic” on the blogosphere right now. Yes, the IPhone worm that has the masses running for cover.

Why do people jailbreak their IPhones? Lots of reasons but for the vast majority of people it’s so they can either tether it for full internet access on a laptop or to run apps that have not been blessed by Apple. For this very reason it’s not surprising that lots of them don’t change the default SSH password. I’d venture to guess that most of them don’t know what SSH is or what it is used for or that it has a default password. Rafal Los thinks that they should read the manual so that they are aware of these things but I think that is asking a bit much of them. 90% or more of them have never unwrapped their manual and don’t even know where they put it. The problem with this is the same problem that many enterprises have with such issues with their employees.

 

APATHY!!!

That’s right they just don’t care. They aren’t concerned about security or ethics just getting the latest toy on their IPhone or PC. They could have read the manual and if they got so far as to reading about changing passwords they wouldn’t have thought enough about it to actually go through with it. It’s not a lack or reading problem so much as it’s a lack of understanding and caring problem.

Enterprises and SMBs have been dealing with this for years and it is one of the biggest problems that we face daily. If we can figure out how to effectively combat user apathy and their lack of understanding then we will be able to take a huge bite out of the poor security posture of many organizations.

User education is one of our best arenas for combating things such as this at work and at home. Companies have got to start implementing real awareness programs that do more then bore their employees. I’ve long been a proponent of quality awareness training but my good friend Michael Santarcangello has taught me much and (IMHO) has the answer to much of our awareness problem. We need to interact with them and get an understanding of what they need to do their jobs and how we can support them and not hinder them. We need to help them understand the importance of what they are doing and of doing it securely. They need to know that the company wants to help them do their job and that what they do and how they do it matters. I also firmly believe that if we will help them understand the dangers of the internet and how it can affect them personally then that will go a long way in doing the right thing and thinking about the possible ramifications of their actions before doing them. If they understand that surfing porn is likely to infect their PC with virus’ and keystroke loggers then they may not do it, at least not on the same PC that they do online banking with.  If they understand how file sharing programs can open up your whole PC to the world then maybe they will lock down (or turn off) their file sharing apps at home. If they understand the importance of keeping patches, AV and applications up to date then they are more likely to do it at home. If they are aware of the dangers and understand how they affect them personally then they are more likely to act more responsibly at work.

Engage, Enlist, and Empower your employees to work (and play) more securely with quality user awareness training.