Internaut: DHS starts up $1.8m public cybersecurity campaign
Shawn P. McCarthy
The Homeland Security Department, with help from technology companies, has a publicity campaign under way to remind citizens to take their Internet security seriously.
DHS seeded the effort with a $650,000 grant to the National Cyber Security Alliance. Its 50 big industry names will match the government money. Other resources should push the initial marketing campaign to about $1.8 million.
That's enough for a decent start at reminding users that Internet convenience carries a price: fraud, hackers, identity theft, spam, spyware and viruses.
Home computers, especially those with always-on broadband connections, are a breeding ground for Internet security problems.
The campaign stresses the value of firewalls and antivirus software. There's a lot more to Internet security, but it should at least wake up home and small office users who never bothered about security before.
That raises a question: Does the government have its own house in order? The campaign could be a catalyst to persuade government employees to practice safer computing.
- Does your agency need to wear a belt and suspenders? Most government LANs have firewalls and mail server antivirus protection. Personal firewalls are a good addition to protect each PC and server against insider threats. Local virus detection and quarantine is an absolute must.
- Does your agency have spam filters on mail servers as well as personal spam filters on clients? Put users in charge of white- or black-listing their own incoming mail.
- Are there rules about opening e-mail attachments, with significant penalties for not following rules? Institute similar rules for the use of floppy disks and portable or key-chain drives on multiple machines, including home PCs. In general, it's safer to e-mail a file home to work on than to carry it on a disk.
- Do all employees who take work home have virus detection there? Set penalties for not keeping it up-to-date.
- Are there frequent scans of all systems for spyware pests that steal computing power and bandwidth? These aren't technically viruses because users are often tricked into clicking on bogus licensing agreements. Invest in legitimate pest-scanning software rather than relying on useful but limited shareware.
- Are there specific requirements for agency use of Internet wallets, password management systems and autocomplete functions built into browsers? They save time but are also tools for identity theft when improperly implemented or maintained. A good rule is never to enter an employee's name when setting up a computer or installing any software. Use code names or numbers instead, and keep personal information in a central, protected database.
- Does your agency have a plan to fight distributed denial-of-service attacks? Set up mirror servers with the same data as on main servers. To be extra safe, have secondary domain names available in case your main domain name suffers a long-term denial attack. Don't inform employees or others of the new domain name until it's needed.
Most agencies are now in the midst of their enterprise architecture reviews. A simultaneous review of security standards would be time well-spent. Shawn P. McCarthy is president of an information services development company. Send him e-mail at firstname.lastname@example.org.
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.