One would think that working in a very prestigious university would simplify the job of the security department. All you would have to do is tell people what was required and those people, with very large IQs, would understand and follow these simple (or not so simple) rules:
- Don’t click on stuff
- Don’t open attachments
- Don’t go where no one has gone before
You should not give any information when you get an email asking for your name, address, social security number, password, PIN, mother’s maiden name, etc. This is a phishing email.
Your password should never be “password” or “12345678.”
There are a lot more of these, but you get the general idea. It turns out that the more degrees a person has, the more likely it is for them to ignore the security rules (this is a generalization, and there are many smart people who can and do follow the rules, otherwise my job would be impossible.)
Some of my favorite examples:
The professor who called me asking why we disabled his network connection – I told him that it was because his machine was sending out spam. He proceeded to tell me how he had spent the whole day trying to unzip a file he got in an email so that he could run the very interesting program someone had sent him. He obviously succeeded. We no longer allow executables through our email system.
The executive who clicked on the link in the email asking for them to confirm their account information or else have their email turned off. We now disable any link in email where the apparent address does not match the actual address.
The person who did not realize that putting files with PII in a directory that was accessible from the web might expose that information to unauthorized access. We now scan all web accessible directories looking for PII.
I bet that some of you could come up with some stories of your own. My “ah-ha” moment came when I realized that to effectively do security in an environment where you can’t block everything, you also can’t block stupid. You just need to understand that you can’t stop stupid, but you can slow it down.