As a prank, Moore rewrote some code for the company's IBM mainframe to allow him to send anonymous messages to co-workers. But his joke inadvertently resulted in his message being inserted into a sales forecast report, which was about to be presented by a Genesco vice president.
"Luckily, they didn't fire me," said Moore, who now serves as an information security consultant for Convergys. "I kept my job, but it got me thinking about computer security, and it got Genesco thinking about it too. They offered all their employees a program on the dos and don'ts of working with computers."
Genesco was ahead of its time in offering information-security training to its rank-and-file workers. And even today, security experts say very little is being done to educate employees on anti-virus techniques and company policies relating to information security.
"People are the weakest link," said Chris Pick, vice president of market strategy at security and systems-management company NetIQ and co-founder of Human Firewall, an educational and informational Web site now operated by the Information Systems Security Association, or ISSA. "Education is the first line of defence."
But apparently not many companies are following that playbook.
Passwords: Change passwords frequently, choosing unusual words, numbers or a combination of both. For example, deliberately misspell words, substitute numbers for vowels, do a combination of both, or remember the first letter of every word in a sentence. Vanity passwords, similar to vanity license plates, can also be effective.
Attachments: Beware the unsolicited e-mail attachment, even if it comes from an e-mail address you know (some viruses can hijack addresses). Reply to the sender and ask if he or she did indeed mean to send the attachment.
E-mail: Browser: Use a utility that prevents pop-ups from opening and installing malicious code on your computer.
Securing data: Physical security: Be aware of anyone trying to enter your company's premises without proper identification. Employees need to be vigilant about providing additional eyes and ears for the company. Who's who: Learn whom you should contact to inform the company of breaches in both physical and network security.
For those who have yet to undergo training, here's some basic advice on how to keep your computer and your company secure:
• Read e-mail messages in plain text rather than HTML, especially when using Outlook 2003 or Outlook Express.
• Be suspicious of any e-mail that tries to lure you to a Web site and have you enter personal data. This tactic -- called phishing -- is used for identity theft.
• Before you crack open that laptop and begin entering sensitive data or reviewing confidential information, be aware of who is sitting behind or beside you. It may be better to sleep during that plane trip, rather than unwittingly sharing sensitive information with strangers.
• Avoid leaving your computer on and unattended. You never know who might pass by and access your information and the corporate network.
• Take the time to install patches and updates. If you don't, you may wind up spending a lot more time cleaning up the havoc wrought by viruses and the like.
PC users are frequently pinpointed at the weakest link in the security chain. A recent survey of developers conducted by Evans Data, a market intelligence firm, found that one in four believed that biggest barrier to computer security is users refusing to follow policies. Nearly one in 10 developers thought security solutions were too complex for the average user.
The lack of an informed work force can be costly for a company, since technology can only go so far in protecting a network, security experts said.
What you don't know, can hurt you
"Unfortunately, people are still not thinking before opening an (e-mail) attachment. Every time a new virus comes out, people go out and do the same thing they shouldn't be doing," said Mike Breth, IT audit manager for the Westfield Group, an insurance and financial services company.
Such acts can paralyse an organisation. New viruses are being released at record speed. And in some cases, virus outbreaks have lead to companies shutting down e-mail systems, as a costly but preventative measure.
Regulations around privacy, such as the Health Insurance Portability and Accountability Act in the US, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.
"In the last 30 or 40 years that we've had computers, there have not been any great strides in making employees aware of the importance of security," Moore said.
Companies are increasingly becoming aware of the problems security breaches and viruses can bring, but few are devoting dollars to educating the work force -- the last gatekeepers.
"Very few companies do this, because they don't see how it adds to the bottom line," Moore said, noting that if money is spent, it's often for security-related technology. "Symantec and other vendors have very good products like firewall and intrusion-detection software, but these are only addressing the technical problem."
Symantec, which also sells an off-the-shelf Web-based security training program for employees, finds that prospective customers will cite budget constraints when declining to purchase the training program, or they will buy the company's security products but not the training.
"Ten (percent) to 20 percent of large enterprises have something in house already. And when we ask about their program, it's not a security awareness program at all. All they're doing is posting their security policy on their Web site and calling it training. I'm guessing, at most, maybe 5 percent of those companies are going out and actually training employees," said Kathleen Coe, Symantec's education services director.
John Thompson, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure.
6%
2%
Interesting article but it really only addressed the dangers of email and viruses. the real danger is the "trusted employee" who brings in his own data files or software. At my work i have found this to be the largest problem and as such we are currently trialing some new software from apreo, which seems to be doing the trick