We've just delivered our first awareness module for 2017 with a few brief hours left until the new year.
Updating the awareness module on Internet security turned out to be a mammoth task: we've basically rewritten it from scratch, such is the pace of change in this area. We could probably have continued writing for another month, in which time I'm quite sure further issues would have emerged ... so we had to call a halt to the writing in order to hit our self-imposed delivery deadline. We can always come back later for another bite at the cherry and, to be fair, most security awareness topics touch on the Internet in some fashion.
"Fake news" is a recurring theme in the materials, picking up on media reports following the US presidential election. Today, we completed the final piece for the module, the awareness newsletter, drawing on a US CERT - DHS - FBI alert about GRIZZLY STEPPE published yesterday. Two Russian hacking groups used Remote Access Trojans to compromise systems belonging to US political parties and perhaps other targets. Russian interference in the US elections, through circulating propaganda and directly attacking political systems, marks a new phase in cyberwarfare, in effect using information as an offensive military weapon against a superpower. As noted in the newsletter, however, the US, UK and other governments have conducted Internet surveillance for years, and espionage predates the WWW by millennia. Whether you see sinister implications for civil liberties, or a legitimate use of modern technology to fight terrorism and foreign interference in the domestic economy, is just a matter of perspective. The fact remains that securing information on the Internet is an arduous, costly task with serious implications for privacy and commercial confidentiality, as well as politics and the economy.
Against that backdrop, awareness advice to patch systems, beware phishing links, use firewalls and so forth seems trivial but the truth is that from the outside the average corporation looks more like a colander than a shield. Without a decent level of security awareness throughout the organization, the fanciest of high-tech security technologies are worse than useless in the sense that they give a misleading impression of protection. They help, sure, but they are not sufficient.
Talking of technology, I am dismayed that so few organizations make any effort to train their technical staff on information security matters. How exactly are they supposed to pick up this stuff - Vulcan mind-meld perhaps, or some sort of virtual osmosis? If you think employing IT graduates magically lets you off the hook, take a look at the curricula or talk to your IT people about how much information security their courses actually covered. Go on, I dare you, ask them about the lectures on propaganda/fake news and surveillance! There's a good chance some of your IT pros left uni before the Internet was even invented.