October 15, 2009 - Linda McGlasson

This month didn't slip out of my scope, but it's already October 15 -- halfway through Cybersecurity Awareness Month, designated for the last six years as the month when the public relation arms of security vendors, governors of states and other political types with predetermined agendas set forth to right a whole year of ignoring the need for strong information security awareness.

I don't have to tell you why this approach is flawed. As a former information security director used to remind me, "Every month should be information security awareness month." Security awareness should be part of everyone's job description, and if they're a customer ... well, I think they should sign an agreement to follow some basic standards of safe computing. Here's a thought: How about setting out the 10 rules for safe computing?

Your information security program is only as strong as your weakest link. In the case of many businesses, including financial institutions, that weakest link is your customer or your employee.

This statement comes with the realization that our customers aren't all rocket scientists or cybersecurity geeks when it comes to protecting their computers and personal information, which means our job is a whole lot more than just making sure our own networks are secure.

The old words ring true: Your information security program is only as strong as your weakest link. In the case of many businesses, including financial institutions, that weakest link is your customer or your employee sitting at a screen, deciding whether to click on that link that popped up in their instant messaging screen, or direct message box on Twitter, or visit that site that offers free ringtones (and malware as a bonus).

The need for a strong security awareness program for customers and employees is apparent, at least to those of us who've been on the other side of a phishing attack, like the spate that hit several banks and credit unions in the past couple of weeks.

One security professional commented to me about the lack of awareness of that bank's customer base when it came to recognizing that the automated telephone call (a vishing attack) wasn't from the bank, despite that the bank had previously told customers several times that they would not ask for account information on a call initiated by the bank.

You don't pick your customers, they choose you. This is the reason why you'll want to make sure your cybersecurity awareness program is up to date and performed on a regular cycle (think at least quarterly, if not monthly.)

Of course, we can't expect everyone to be zealously guarding their computers, routers, browsers and personal information, but having a set of basic operating standards should be required of anyone. Think of what you had to do in order to get your driver's license.

Here's my take on the first few rules:

• Keep your operating system up to date with the latest patches;
• Update your anti-virus and anti-spyware regularly, if not daily;
• Install a firewall on your PC;
• Don't click on links in emails that are from unknown origins (or known origins for that matter).

That's four; it's a start. What would you want the rest of the 10 rules for safe computing to look like?