×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security / Privacy Advice?

kdawson posted more than 4 years ago | from the all-ears dept.

Privacy 260

James-NSC writes "My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking. While I was putting it together, I ended up with some miscellaneous information that pertains to security/privacy in general, for example: the emerging ATM skimming (mainly for our European employees), a reminder that email is not private, malware/drive-by in popular search results, etc. Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on security/privacy issues across the board. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly. If you had the attention of an entire company with employees in the US, UK, Asia, and Australia, what security / privacy advice would you give?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

260 comments

Acknowledging the /. audience (0, Funny)

Anonymous Coward | more than 4 years ago | (#29460545)

Closing the basement shades will do wonders on the privacy front.

Re:Acknowledging the /. audience (2, Insightful)

heretic108 (454817) | more than 4 years ago | (#29461085)

Closing the basement shades will do wonders on the privacy front.

Translated into /. language: Either operate exclusively through a watertight alias (use a proxy, don't share photos of you groping the office slapper at the Christmas party, don't engage in identifying talk), or just assume that everything you say and do on social networks will be cc'ed to your boss(es), appended to your CVs for the next 50 years and plastered all over your cubicle walls.

Mandatory? (5, Insightful)

DoofusOfDeath (636671) | more than 4 years ago | (#29460549)

I'm going to have the mandatory attention of every employee

No, you're going to have the mandatory presence of every employee. And unless you make the talk riveting, every seconds of unnecessary content will make them despise you more.

Re:Mandatory? (5, Insightful)

CannonballHead (842625) | more than 4 years ago | (#29460673)

I have found that food helps everyone like you more; perhaps he should provide lunch. Or at least cookies.

Re:Mandatory? (1)

yakatz (1176317) | more than 4 years ago | (#29460795)

But food probably will not help with people's attention spans.
Usually, at a meeting with food,people will be distracted by the food, and once the food is gone, you will be back to the original problem.

Re:Mandatory? (5, Insightful)

PylonHead (61401) | more than 4 years ago | (#29460741)

This is correct.

Present just the information you've been tasked to convey.

Present it in at least 2 different ways.

Take questions.

Summarize once more and let them out early.

Honestly, the more you try to cram in there the less they're going to take away.

Re:Mandatory? (5, Insightful)

BadAnalogyGuy (945258) | more than 4 years ago | (#29460933)

Have you ever tried growing tomatoes? It's very difficult because there are lots of things that can go wrong. Bugs, bad soil, wind, even the tomatoes themselves can be too heavy and break off the vine. It's not a matter of planting the seed and then letting it grow. You've got to be involved almost every day to make sure the growth is under control, that the vine is tied where it needs to be, that the plant is properly pruned so that you don't end up with a scraggly set of leaves and scrawny tomatoes. It's a very difficult, but very rewarding activity.

So when you say:
Take questions.

You are wrong.

Ask questions. If you want your audience involved, you need to solicit feedback. You can't expect them to come with any questions, so you need to frame your speech to include questions *to* your audience so that they become part of the program, not just spectators.

Re:Mandatory? (2, Insightful)

dave562 (969951) | more than 4 years ago | (#29461073)

I like the idea of asking questions. In the context of the speech the speaker might ask, "When was the last time you were in danger of having your personal information compromised?" He can then go on to offer a couple of examples that illustrate his point of how wide spread the problem is.

Re:Mandatory? (1)

PylonHead (61401) | more than 4 years ago | (#29461253)

Sounds like a good idea to help engage people.

But seriously, "Take questions. You are wrong." Perhaps that was a little strongly worded. I mean, it's hardly controversial to take questions at the end of a presentation.

Stick to the subject (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29461365)

Focus on your assignment. The Security department can use the other material for newsletters.

Re:Mandatory? (1, Insightful)

0100010001010011 (652467) | more than 4 years ago | (#29460765)

Boobs. No really. Find a ton of pictures of chicks that they posted and regretted.

Put under it: "Do you want this to be your personal data." On the next slide: "Once it's on the internet. It'll never be off the internet."

Maybe separate presentations based on gender/sexual orientation.

1) Everyone will be captivated.
2) It'll make the point rather clear.

Re:Mandatory? (5, Funny)

Anonymous Coward | more than 4 years ago | (#29460875)

3) you will be fired.

Re:Mandatory? (4, Informative)

spinkham (56603) | more than 4 years ago | (#29461139)

Good idea, but you'd have to dial it back a notch for most corporations.
Try these:

MI6 head outed on facebook by his wife, with many details. Viewable by all of the "London" network.
http://www.mailonsunday.co.uk/news/article-1197562/MI6-chief-blows-cover-wifes-Facebook-account-reveals-family-holidays-showbiz-friends-links-David-Irving.html [mailonsunday.co.uk]

Bank intern fired for lying about a family emergency, then pasting party pics of him dressed up as a fairy on facebook:
http://valleywag.gawker.com/tech/your-privacy-is-an-illusion/bank-intern-busted-by-facebook-321802.php [gawker.com]

Another example of being fired for putting dumb stuff on facebook:
http://www.liquidmatrix.org/blog/2009/08/13/social-networking-fail-fail-fail/ [liquidmatrix.org]

Plenty of fail, Safe for work.

Re:Mandatory? (1)

tverbeek (457094) | more than 4 years ago | (#29461393)

Separate presentations based on gender (and sexual orientation)?! This isn't 5th grade sex ed. Not only is it insulting for a bunch of adults to be treated that way, it's probably grounds for a gender discrimination and/or sexual harassment suit. In the workplace "separate but equal" is only permitted with toilets.

Re:Mandatory? (4, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#29460921)

>>>every seconds of unnecessary content will make them despise you more.

I love mandatory meetings.

It's a great opportunity to get paid $50 for doing absolutely nothing for an hour. Score!

Re:Mandatory? (1)

Tubal-Cain (1289912) | more than 4 years ago | (#29461093)

Assuming you don't have a deadline looming.

Re:Mandatory? (1)

commodore64_love (1445365) | more than 4 years ago | (#29461509)

Even better! I get $75 for every hour of overtime, so the more time spent in meetings the more money I get. Last Christmas, due to a rather stupid promise by management to the U.S. government, I had to rush to finish a project in just one week. I worked 80 hours and earned $5000.

Malicious (0)

Anonymous Coward | more than 4 years ago | (#29461199)

Put a lot of stuff from failblog on there. It keeps the attention of the idiots.

Re:Mandatory? (2, Informative)

tverbeek (457094) | more than 4 years ago | (#29461319)

If you want to point out other security issues, work them into the main topic. "The messages you post on MyFace aren't private... just like your e-mail isn't really private." "Stupid crap that you see advertised on Spacebook can contain viruses... just like random web sites can." "A site that tricks you into thinking it's Twitster can steal your login info... just like a fake ATM can." Etc. That way it's reinforcing the underlying principles, and not looking like an afterthought.

Re:Mandatory? (0)

Anonymous Coward | more than 4 years ago | (#29461421)

I've also found that making it clear from the outset (in a nice way) that the computers and connection in question are COMPANY PROPERTY and anything they do WILL BE MONITORED goes a long way in giving the average Joe a wakeup call. Regardless of what they do in future, they now know that they do not have the right to do whatever they want without repercussions in regards to their employment.

Caveat: This only works if you have the backing of the head of the company to make it a blanket policy, applicable to absolutely everyone regardless of position or status.

At my last employer, I had the latitude from the CEO to ban all non-company purchased devices, including personal laptops, Ipods, and memory sticks. It may sound draconian, but it kept alot of crap from happening and cut down on re-imaging HDD's because some secretary borked their box or Joe manager wanted to bring their porn to work.

Make it funny (2, Informative)

boxie (199960) | more than 4 years ago | (#29460555)

You don't have to be a comedian, you just need to make sure that your audience is attentive and taking in what you are saying - so - make it funny and have the jokes the things you want people to remember.

that and tell them to be paranoid "if it seems dodgy, it probably is!"

Nigeria? Please.. (0)

Anonymous Coward | more than 4 years ago | (#29460559)

Well, for one thing, that Nigerian Prince who emailed you really isn't sending you any money.

security tip: (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29460605)

your asshole is exit only. I didn't realize that until I fucked 700 dude and got aids. bjs are fine, but no cock up the ass. And wear a latex glove while fisting.

krsmav (5, Insightful)

krsmav (1410223) | more than 4 years ago | (#29460637)

When you have a captive audience, the temptation is nearly irresistible to force-feed them something they wouldn't willingly listen to. Put yourself in their place. Don't say anything that you would resent being forced to sit through. Keep it short and jargon-free, and lighten up if possible.

Tell them to take orders from Clippy (0)

Anonymous Coward | more than 4 years ago | (#29460651)

And only Clippy.

Secure Your Presentation PC/software (5, Funny)

sfled (231432) | more than 4 years ago | (#29460675)

Secure the PC & software you're going to use in the presentation, just to keep pranksters or jealous peers from having fun at your expense. Terribly embarrassing to give a talk on security while boobies are flashing on the screen behind you.

mandatory attention (2, Insightful)

nethenson (1093205) | more than 4 years ago | (#29460685)

"I'm going to have the mandatory attention of every employee and ..."

Wrong. You are going to have the mandatory presence of every employee, but their attention is something you will have to earn.

One line (4, Funny)

antifoidulus (807088) | more than 4 years ago | (#29460687)

"If you wouldn't expose your wang to your co-workers at the water cooler, don't do it online"

Re:One line (0)

Anonymous Coward | more than 4 years ago | (#29461471)

I don't expose it at the water cooler, but i do dip it in when no one's looking.

Using social networks in the job? (3, Insightful)

Saija (1114681) | more than 4 years ago | (#29460689)

on the security and privacy concerns relating to social networking

I'm a little confused here: are the employees of your company using social network at work?, if so, why on earth don't you block the access to this sites?
Note to myself: don't use /. at work

IT people get security wrong (4, Insightful)

Kohath (38547) | more than 4 years ago | (#29460693)

Educating your users is useful. You'll probably do a good job. Tell them not to download and install anything "fun" for Windows.

I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done. Users do things like writing their password down on a post-it, using skype, setting up logmein.com on their PC, or posting a document on a public site. They do this because IT forces elaborate password schemes and won't support remote logins or other external communications.

IT needs to be responsive to user needs for security to work right in an organization.

Re:IT people get security wrong (3, Informative)

techno-vampire (666512) | more than 4 years ago | (#29460873)

IT people setup security that's needlessly inconvenient.

How true! IT people seem to think that if you can make security tighter, you must, even where it doesn't make a difference. I once worked at a company where IT had set things up so that you had to log into three different databases to get your work done. Each one required a different ten-character password with at least one uppercase letter, one digit and one punctuation mark, and they all expired after thirty days. Sound good? What would you say if I told you that all three databases were on the local intranet and not accessible from outside of the firewall? There was no telecommuting, so you had to be on-site to reach the servers in question. The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.

Re:IT people get security wrong (2, Interesting)

commodore64_love (1445365) | more than 4 years ago | (#29460969)

>>>The only thing IT did with their draconian password policy was make work harder for everybody, but there was no way to make them understand that.

Yeah there is.

- "Hello IT."
- "Yes I forgot my password." (i.e. lie)
- "Again? You forgot your password last week too!"
- "Yeah I know but I use three different servers, and your policy makes me have to reset my password about every 10 days. I can't possibly remember all of them when the word keeps changing all the time."

After a couple times of these calls, IT will eventually get the message that their password policy is ridiculous and unworkable for the average worker.

Re:IT people get security wrong (4, Insightful)

element-o.p. (939033) | more than 4 years ago | (#29461215)

Wrong.

It's not the poor stiff at the helpdesk who sets policy; it's the extraneous middle manager five levels up who doesn't give ${rodent}'s ${anatomical feature} about how difficult it is for the working-class saps, so long as he can tell his SoX auditor that they are abiding by a secure policy. BTDT, got the T-shirt.

Re:IT people get security wrong (1)

Geoffrey.landis (926948) | more than 4 years ago | (#29461435)

After a couple times of these calls, IT will eventually get the message that their password policy is ridiculous and unworkable for the average worker.

Not even close. The help desk personnel already know this-- they deal with this problem every day. They aren't the people who make the policies.

UK Gov't Health tells kids to masturbate. Parents pissed.

You aware the the UK meaning of "pissed" is "drunk," right?

Re:IT people get security wrong (1)

uniquegeek (981813) | more than 4 years ago | (#29460985)

Our workplace (which is quite small) has a computer in the lunchroom that is hooked up to the internet, but not the company network. You can't install anything, but it's the place you take a break if you want to check something on facebook or a favorite web site, etc. It establishes "this side of the office is for work, this side is for fun".

Most of us self-regulate quite nicely, but it's been necessary for a couple employees who refuse to grow up. Though, now that I think about it, they were both fired and don't work here anymore...

Re:IT people get security wrong (0)

Anonymous Coward | more than 4 years ago | (#29461457)

I find that IT people get security wrong far more often than users, though I'm used to working with sophisticated users. IT people setup security that's needlessly inconvenient. The users then spend their time circumventing that security to get their work done.

I find that stupid people who don't understand corporate culture blame the wrong people for brain-dead policies, and scream at the workers instead of the real people responsible.

Hint: It's not the "IT People" who set the "needlessly inconvenient" security.. policy is invariably created by management, not the IT drones.

While you're at it.. (5, Funny)

3Cats (113616) | more than 4 years ago | (#29460713)

explain to them that's MY FREAKIN BACON SANDWICH in the fridge! I had my NAME ON IT!!

Farkin' lunch thieves...

Re:While you're at it.. (1)

0100010001010011 (652467) | more than 4 years ago | (#29460775)

Pick something poisonous but tasteless. Nothing lethal.

Make sandwich with substance.

Sit and wait.

Re:While you're at it.. (2, Funny)

commodore64_love (1445365) | more than 4 years ago | (#29461003)

And spend several years in jail for 3rd degree manslaughter. A wiser course is to use something harmless but effective, like laxative or Syrup of ipecac

"Hey John you've been disappearing a lot. Are you sick?"
"Yeah man... I threw up."
"Huh. Hey did you happen to see what happened to my sandwich? Some fool ate it. I'm glad I'm not him because it's a week old."

Re:While you're at it.. (1)

0100010001010011 (652467) | more than 4 years ago | (#29461019)

What part of 'nothing lethal' did you miss?

Just a poison that makes them sick, I'd consider syrup of ipecac a poison.

Re:While you're at it.. (1)

gandhi_2 (1108023) | more than 4 years ago | (#29461173)

syrup of ipecac should only be administered under order of a physician. it's fallen out of favor because you only throw up around 85% of your stomach contents and about 15% of people don't throw it up at all.... and it's a cardiotoxin....so all the non-puked ipecac starts to poison you. so you would be poisoning them. besides, the smell would give it away.

Re:While you're at it.. (2, Insightful)

tomhudson (43916) | more than 4 years ago | (#29461183)

Better yet, put a teaspoon of methylene blue in a 1- or 2-litre bottle of coke or pepsi.

Let suspect drink it.

Let them get all alarmed the next day because they're peeing green or purple.

Just a couple of drops in a glass does the job.

Advise them on corporate espionage... (2, Funny)

Anonymous Coward | more than 4 years ago | (#29460721)

Tell them how to look out for individuals within the company that may be involved in corporate espionage and point out key characteristics of suspects:

Unexplained Affluence - they have more money than you would expect from their job/life.

Undue Interest - they show up in your department asking questions but have no work-related purpose.

Affiliation - they express low affiliation with the company, or high affiliation with other interests.

Work Issues - they are not happy with their work or feel that they have not been treated fairly.

Questionable Contacts - they associate with or are in contact with persons of competing firms or interests.

Note that depending on your specific industry and company, security discussion of this level may require more than a few minutes.

Cutting off social networking? (5, Insightful)

syousef (465911) | more than 4 years ago | (#29460725)

My employer is changing its policy towards employee use of social networks. I've been asked to give a 40-minute presentation to the entire company, with attendance mandatory, on the security and privacy concerns relating to social networking.

Correct me if I'm wrong but that just sounds to me like your employer is going to start blocking Facebook, Myspace, Youtube, private email, and possibly everything else your filtering software classifies as social networking. Or at least a prelude to this.

If I'm right, the only opportunity you're being given here is to become the public face of a very unpopular move. Adding a lecture on security to this will only irritate people who'll be thinking "Well it's not going to matter anyway once it's blocked". It's going to be very difficult to come across as anything but condescending. People are quite likely to associate the decision with you personally. Your aim should be to stay brief and informative, not to "utilize" the opportunity, because it's an opportunity for social suicide. Ideally this should have been undertaken by email, been short and been to the point.

Re:Cutting off social networking? (1)

phasmal (783681) | more than 4 years ago | (#29461099)

I would have said it sounded like the opposite - that they are just about to open the doors to social networking and want to ensure that employees to it 'safely'...

--
Phasmal

Re:Cutting off social networking? (1)

/dev/trash (182850) | more than 4 years ago | (#29461127)

Puts already blocked all that. No complaints. Ya should be working not socializing anyway.

Re:Cutting off social networking? (1)

QuantumG (50515) | more than 4 years ago | (#29461297)

Henry Ford called, he wants his Scientific Management textbook back.

A happy employee is a productive employee. Modern management is about making employees feel valued and trusted. They do their job because they get satisfaction out of it, not because someone is behind them cracking the whip.

Banning social networking sites is the exact opposite of what you need to do. You should be encouraging your employees to have fun at work while showering praise on their work. Yes, saying "thank you for doing your job" is exactly what people want to hear, even if they say they don't.

Re:Cutting off social networking? (3, Insightful)

that this is not und (1026860) | more than 4 years ago | (#29461357)

Don't blame Henry. He was part of the deal, but he was just doing what that fascist Taylor said to do. Taylorism needs to be obliterated.

Re:Cutting off social networking? (1)

Imrik (148191) | more than 4 years ago | (#29461133)

It could also be that the company is changing its policy to be more friendly to the social networking sites, which could necessitate a presentation on the possible dangers.

Re:Cutting off social networking? (0)

Anonymous Coward | more than 4 years ago | (#29461175)

Yeah I fail to see why a company needs to explain to its employees an action restricting use of the company's equipment. I mean they didn't sign some sort of contract that gives them the right to play online did they? People at my company get fired for wasting to much time online.asld;kfwenla ahhhhhh...nnoooo...must hit submit after writing this stupid pun....

Why would you call a meeting for that. (1)

Chuck Chunder (21021) | more than 4 years ago | (#29461285)

Sounds like they are going for a more nuanced approach (and should be applauded for doing so). If they were going to cut it off a simple email would be explanation enough.

Brilliant. (1)

attemptedgoalie (634133) | more than 4 years ago | (#29461305)

I used to work for a Fortune 10 company. They did surveys to see where we could improve internally. When the results were released, management would create (or pay to have made) an 8 hour training session. At the end, they would explain what happened. We complained, and were punished. They would report the training was a success and that if we complained again next year, we'd take the *same* course. Another 8 hours of mandatory non-work.

They would solicit for people to help drive the training sessions because they "had to be at an off site meeting", no doubt a golf course or Hooters or something.

Management got off free, and got bonuses for having the training handled, the employees were beaten into not complaining again.

Privacy (0)

Anonymous Coward | more than 4 years ago | (#29460727)

I'd go with a reminder that nothing you do at work is private, rather than just e-mail.

Familiarity Breeds Contempt... (1)

BoRegardless (721219) | more than 4 years ago | (#29460729)

or at least mind-numbing forgetfulness.

Use of the Internet should generally be remembered to be nonsecure and suspect.

Lots of people will forget, because they are tired, pushed, harangued, or pissed off at their boss or coworkers.

Trying to instill constant vigilant attitudes will be REAL tough.

Maybe Browser pop-ups reminding employees of the latest intrusion or hazard of the day is not so bad as a reminder. (Please no bricks) If I was to design a popup, it would be a one liner with a link for more info. and the popup would disappear after 5 seconds on its own.

Back it up with a little detail helps. (5, Interesting)

Kyle (4392) | more than 4 years ago | (#29460733)

Everyone knows you need a secure password. Now show them the log of the 3k connection attempts to the SSH port that occurred overnight.

Unknown Entries:
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.46.49.199 : 2366 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 user=root : 364 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=140.116.236.46 user=root : 80 Time(s)
            authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.205.44 : 73 Time(s)

Maybe ask permission to do a live demonstration of a password cracking tool. See how many passwords you can get in 2 minutes. This may be dangerous though, hide the results, just show the usernames, you don't want to find out who is using the CEO's wife's name as a password.

Really get their attention with some specifics like that.

ATM skimming... (0)

Anonymous Coward | more than 4 years ago | (#29460739)

If you are going to cover Ass To Mouth, why bother skimming it?

Closed Source Open Source (0, Offtopic)

erroneus (253617) | more than 4 years ago | (#29460749)

With Closed Source software, it has been shown time and again that you don't always know what it will do beyond its stated and obvious functions. Windows Genuine Advantage, for example, has been shown to store and send out more information than Microsoft has stated. Other closed source software has been shown to do similar things as well. Ultimately, the software for which source code is not openly available (and which is often encrypted to avoid disassembly or other analysis) simply cannot be checked or verified the way Open Source software can. And while the vast majority of apps do actually behave, you still have to understand that each program is a "black box" and you simply have to "trust" it. With Open Source software, this is much less the case.

The lesson here isn't necessarily that everyone should use only Open Source software either. The lesson is that adequate suspicion and caution should be exercised when installing software onto a computer keeping in mind various factors. Such factors might include how much it is needed versus how good its reputation may be. People tend to put more trust into strange software than they would a stranger asking to have access into their computer system and this is rather strange. When installing strange software into a computer system, it is actually worse in many ways to having someone personally and directly have free access into your computer system. It is important to remind everyone what it is they are granting access to when they install strange software that is, in the end, "a black box."

STOP CLICKING RANDOM LINKS (1)

chill (34294) | more than 4 years ago | (#29460755)

Like the animal kingdom, if it looks interesting and has lots of bright colors, it is probably deadly. Stay away.

Don't post anything online that you wouldn't want your grandmother, pastor and organized criminals to see. Or, don't post anything that shows anything you wouldn't want your pre-teen daughter to be doing.

Terms of service change on a whim. There is no such thing as online privacy. The internet never forgets. Don't trust the delete key. Don't say in e-mail what you wouldn't be willing to say to someone's face -- in public.

Learn what BCC is in e-mail. Never use multiple TO or CC to anyone outside the company, as it can expose a great deal of internal e-mail addresses.

Re:STOP CLICKING RANDOM LINKS (2, Insightful)

MichaelSmith (789609) | more than 4 years ago | (#29460893)

Don't use your internal password for anything external, like your hotmail account.

If you need to share your data with co-workers don't give them your password so they can log in and do it.

If in doubt, don't.

Lean On Existing Protocol And Procedure... (1)

Xin Jing (1587107) | more than 4 years ago | (#29460759)

And where that trails off and the gray area begins, go back to that same rules and regulations compendium and glean appropriate behavior and confidentiality employee agreements to remind people what is acceptable and what is not.

It's a rare situation that has employees actively working and conducting business in various locations and stages of production where they are exempt from the rules and regulations that govern safety, access and distribution of proprietary information, asset security and liability. When in doubt, employees are encouraged to seek out their immediate supervisor or manager and share case-by case situations that fall outside of established guidelines.

While this puts more burdin on the rules to list what is appropriate and what isn't, the "employee handbook" can become a living document that grows as procedures change and situations require ammended courses of action.

I'd also suggest incorporating a a policy revision or review process, where the common employee can affect change through communication to an individual or department that can highlight a policy or procedure that is incomplete or inaccurate.

In the end, the Company is seen as less infallible and more adaptive, the management that executive or owners rely on to get things done are better empowered to merge effort with Company expectations.

Supplemental materials (2, Insightful)

beefnog (718146) | more than 4 years ago | (#29460761)

If your company has branches in all of those regions, chances are there are quite a few people in the crowds that feel their time is worth far more than yours. I would create a supplemental handout / electronic document rather than discussing points that aren't in the exact scope of what you've been asked to discuss. Speak specifically about social networks. Provide literature about your other concerns.

KISS (1, Informative)

girlintraining (1395911) | more than 4 years ago | (#29460763)

Keep it short, keep it simple. And don't stray off the topic. And you might want to have a handout of the key points.

Re:KISS (0)

Anonymous Coward | more than 4 years ago | (#29461437)

'Keep It Simple, Stupid'

Don't. (1)

ChaosDiscord (4913) | more than 4 years ago | (#29460773)

Nothing says Commitment to Quality like deciding that 40 minutes is the right length of time for an important lesson, then assigning someone else to creating the lesson content.

As others have noted, people are already going to be surly about a mandatory meeting. For those people who actually use social networks, they're going to be surly about whatever restrictions your company has decided on. You can buy a bit of forgiveness by letting them out early. It might seem like you're passing on a golden opportunity, but trying to cram in additional content is doomed. They start surly. You'll be 30 minutes in and they'll be zoning out. It's a hostile audience, and little, if anything, you say will stick with them. If it's obvious you've jumped to seemingly optional topics, (which is what "While I have you" says), you'll lose the rest.

You've been ordered to push a boulder half-way up a hill. It's doomed to roll back down the moment you're done. Don't make extra work for yourself by uselessly pushing it all the way to the top.

If you (2, Funny)

msimm (580077) | more than 4 years ago | (#29460797)

If you do it naked no matter how dull the content it will be an event they shall all long remember!

Will you share a copy of the presentation? (2, Interesting)

MattCC (551250) | more than 4 years ago | (#29460821)

It would save some of us the trouble of putting similar material together if you could post the presentation somewhere.

Are users the customer or the product? (1)

thzinc (679235) | more than 4 years ago | (#29460829)

One thing that a lot of people don't think about when discussing privacy, especially in social networking, is the topic of who the customer truly is. With free services online, the true customer is almost always the advertisers, and the product being sold is usually user information. http://www.weourfamily.com/blog/who_is_the_customer.jsp [weourfamily.com]

What's the change in policy ? (2, Interesting)

rta (559125) | more than 4 years ago | (#29460837)

What's the actual change in policy that's the main target of your talk ? If you're just going to tell them that "you can't hit Facebook from work anymore" or "If you ever blog about the company we'll fire you" then you will have lost your audience already. Anything else you tell them may even be counter productive because it will be associated with the main negative message you just delivered.

In fact, along the same lines, if someone else decided this policy change (which i'm assuming is not "employee friendly") it may not be in your best interest to do the announcement. If it was a committee decision, then yes you should do it even if you don't agree with it. If it's the lawyers or the CEO or VP etc. cramming it down your throat, then consider, respectfully, asking him, her or them to do the announcement.

As to something you might say / do: consider suggesting that they get a nettop to use for personal business (if you allow such things on your network) and/or perhaps set-up or a secondary "guest" network that they might use for this purpose. Beyond that, the usual, use non-IE browser.... make sure you run some sort of virus scanner at home, run Spybot S&D every once in a while... don't ignore https warnings... The ATM thing may be a bit outside the scope of the talk.

 

Get Security/Legal/HR buy in (3, Insightful)

omkhar (167195) | more than 4 years ago | (#29460839)

Are you part of the security team? If not, perhaps this is more the domain of your security guys than yourself. I'd also get the buy in of HR. As with most policy changes (especially ones with a reprimand) you gotta make sure HR is on side. Legal for good measure too - ie are you asking something which is illegal of the employee? I know its a stretch, but CYA.

Will you tell them the truth? (3, Interesting)

billybob_jcv (967047) | more than 4 years ago | (#29460891)

Will you tell them that although no one in IT has the time to monitor email, if an employee pisses off someone in management or HR enough that they become the target of an "investigation", then every stupid little email where an f-bomb was dropped between friends or the hot chicks ta-tas are discussed will suddenly be used as "evidence" of violation of corporate policy and they will be terminated?

Not that it's happened to me - I'm just sayin'...

Wear a Rubber? (0)

Anonymous Coward | more than 4 years ago | (#29460903)

see subject

Promise Them A Rose Garden (1)

runslothrun (524157) | more than 4 years ago | (#29460943)

This is an excellent time - since I have your captive attention - to point out that you were asked to present on a specific topic. What you are proposing is that you will provide a rose garden when all you were asked to deliver was a shrubbery. Don't make the mistake of thinking that these others topics, no matter how tertiarily related, will endear you to your audience of your manager. That said, I would find ways of incorporating some of them in the "effect of..." being a victim of social networking scams, schemes, malware, etc., etc.. Much better than dropping more info in their laps at the end and they probably won't be able to put two and two together and see how they are related. By the way, once you learn to deliver what has been asked for not only your manager but you will be much happier. Find other ways to get what you want. It's a skill; so learn it. See what I did and didn't do there?

And another thing (1)

Gonoff (88518) | more than 4 years ago | (#29460949)

I always tell our new starters not to share or write down passwords. Of course some of them will - generally the higher paid ones. At least this way we have tried and they can't claim that they didn't know because nobody ever reads the policy documents!

Free Security Awareness Content (0)

Anonymous Coward | more than 4 years ago | (#29460971)

There is some free security awareness content available at http://go.microsoft.com/?linkid=9685199 that includes a complete presentation you could use.

A worrying trend? (0)

Anonymous Coward | more than 4 years ago | (#29460975)

I'm curious to know more:
Are your employers interested in changing/developing a policy for use of social network sites whilst at work, or are they interested in developing a policy regarding use of social network sites to discuss any matters related to the company?

I find it a terribly disappointing trend that companies are leaning more towards controlling their employees both inside and outside of the workplace.If it's the latter surely it amounts to censorship and is very disturbing.

I would hope that your company is an excellent place to work and are confident enough to allow their employees to sound off about any practices. I would hope that there are enough effective avenues within the company to allow employees to be able to point out issues and to have them resolved such that if an employee does sound off on a social network then others will be able to point out in public that the individual is wrong.

I would hope that your company and all companies realise that their best assett and advertisement is the employees that work there. If they are happy people will want to work there or buy their products.

If not then surely the company is (a) cutting its own throat (b) deserves the public ridicule.

Advice (5, Interesting)

Anonymous Coward | more than 4 years ago | (#29460999)

I gave a similar presentation to a smaller group. My advice would be to do a live demonstration on the actual information that one can get from a social networking site. For example, I pulled someones information from the social networking site, googled them using stuff I learned about them from facebook, found their email address, home address, and phone number. Using this information I was able to find out friends and family members of theirs, including photos etc. I also found their myspace page and looked up other social networking, dating, etc. sites. Off of other social networking sites, I started to build a profile in my talk about what type of person this was and also talked about additional things I might be able to gather, if I had malicious intent.

I used this talk as a means to introduce other security related issues such as email encryption, etc. I did not go into any details of those things, but I did introduce them and asked if they would be interested in learning a little more about those topics. People overwhelmingly asked me to do another series of small presentations on additional security topics, as many were shocked at how much information I was able to gather.

Don't put too much on your plate as it will be difficult to focus on your main task and it might not go over too well. Security is a huge issue and every topic cannot be done justice in one presentation. However, if you do your main presentation right, you can get people interested in how it really impacts them.

I hope this helps out a little. Good luck!

None And Then Some (2, Interesting)

DynaSoar (714234) | more than 4 years ago | (#29461055)

"If you had the attention of an entire company...."

I'd tell them I have put together a collection of security/privacy related issues that may or may not relate to things at work but definitely relate to their personal life computer use. But rather than take up more of more of their time by covering it here and now, I'm going to offer to send it to anyone who wants it. They can request a copy by emailing me at username at domain dot top. Thank you, and have a nice period of planetary rotation.

The bosses will be impressed with the extra work you did and with the fact you let them all get back to work as soon as possible. Everybody will be happy you let them go rather than keep them in the meeting longer. That will improve the probabilities that they'll (1) ask for the supplement and (2) use it, plus (3) remember and use the stuff the company wanted put together. That'll get you a reputation as the IT guy that's tech smart as well as management smart, something that could go a long way towards improving your 'situation'. At least it could go this way, and knowing that before the fact you could use it to your advantage. For instance: convert the supplementary material to a slide show presentation; tell the bosses now that you have put together and are going to offer the extra material, but only as a freebie sent out upon request rather than take up more of the company's valuable time; and just generally present yourself as confident in your technical and managerial skills, both of which you apply for the good of the company, etc., etc.

In other words, don't just give it, use it.

Scare them a little (1)

davidshewitt (1552163) | more than 4 years ago | (#29461159)

People tend not to listen to things that they're not interested in, so you need to make them interested. Come up with a real world example of how a normal person (like them) fell into one of the many traps on the internet (malware, phishing, you name it), got their info stolen, and wound up with a nightmare on their hands. You don't want to make it too intimidating, but give them a sense that it *CAN* happen to them. That way, they'll be interested in what you have to say, for their own good, as well as that of the company.

KISS (1)

Lost Race (681080) | more than 4 years ago | (#29461189)

Since these topics don't directly relate to the subject I've been asked to address, I've ended up with a section titled 'While I have you...' I'm going to have the mandatory attention of every employee and I thought it would be a great opportunity to give advice on [whatever]. As it's an opportunity that one seldom gets, I certainly want to utilize it fullly.

Resist the temptation. It's always a bad idea. That's why you seldom get the opportunity.

Do not do that. Stay on topic. (0, Redundant)

tlambert (566799) | more than 4 years ago | (#29461227)

Do not do that. Stay on topic.

You are supposed to cover a topic. Cover it. If you have a hobby horse to ride, you should give a good presentation on what you've been asked to present on, and nothing else. If the issues you want to ride come up in Q/A, you can address them very briefly, but stay on topic.

If you ever want to get asked to talk in depth about your hobby horse(s), you will do a good job on the topic you have been told to present on, and not look like some schmuck who can't keep on point in presentations by having the thing wander all over the map.

Also, anything you add at the end will tend to push the information you were intended to communicate out of their heads entirely, and trivialize it for your audience, so you should think twice about that. If your management is there (you said everyone would be), it will do the same for them, and they aren't going to think you've covered what they told you to at all well, and that your whole talk wandered, even if it only wandered at the end.

-- Terry

Have a wonderful social life (1)

cellurl (906920) | more than 4 years ago | (#29461235)

I have given this some thought. I would tell your employees to have a wonderful social life. Engage in Twitter, TPB, politics. Normal slander rules apply such as in Germany, England or wherever you are located.
HR should be don't ask, don't tell policy. If they do porn at night and end up on CNN, that could happen to anyone, its not a companies business other than normal company-image / chance-for-promotion type stuff.
The internet is just a bigger megaphone, not a new type of megaphone...

Do not move data if you do not have to (1)

teh moges (875080) | more than 4 years ago | (#29461251)

One thing about security is that people always take shortcuts, and one of the main outcomes of this is that data gets lost when it should never have been copied in the first place. A key example of this is when consultants take a copy of a database so that they can create a program to access the data. They don't need the data, they just need the schema. Get this into people's heads (think 'least necessary information' rather then 'easiest command') and it wouldn't matter how poorly your consultant handles your data, because they can't lose any of it.

While I have you? (1)

Korbeau (913903) | more than 4 years ago | (#29461389)

You'll ... never ... have ... me!
(a la Lost Highway when the blonde version of Patricia Arquette enters the mysterious man's shack after it imploded back to a standing structure)

Ruby On Rails spreads viruses (0)

Anonymous Coward | more than 4 years ago | (#29461459)

Many free websites, including social networking websites, use Ruby On Rails as a backend, which has been shown to facilitate the spread of viruses.

According to Symantec, there has been skyrocketing rates of virus infections ever since websites like MySpace became popular.

Passwords (1)

Geoffrey.landis (926948) | more than 4 years ago | (#29461475)

Tell them to make sure they use a different password for every different system they access.

Other than that? Well, tell lots of good stories.

Don't Give Advice (4, Insightful)

mpapet (761907) | more than 4 years ago | (#29461503)

If it's not *specific* company policy, then don't say a word.

1. Because no good deed goes unpunished.
2. Humans are incredibly stubborn. Informing them of risks with almost no career consequences AND they'll probably do anyway will be mostly wasted breath.
3. Sharing remotely related information is not the purpose of the meeting. I have an idea, have the meeting finish on time or early. Incredible, right? It's amazing what happens when people respect the boundaries established by the meeting time.

I would take the advice and put it on paper, (no corporate letterhead) and call it 'helpful information.' End the meeting by announcing it as a 'bonus gift!' Interested people will take one. Publish a PDF for the international people.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...