Bullet Proofing Your Career Online, Spectrum 2012

The brilliant Hannah Morgan and I presented Bullet Proofing Your Career Online at the STC Rochester Spectrum Conference. We’ll be presenting again at the STC Technical Communications Summit in Rosemont, IL in May. You won’t be able to experience our incredibly witty repartee, but I’ve embedded the slides below.

Updated: 2012 Speaking Schedule, January through June

I’ll be speaking at the following events this winter and spring. Watch for my presentation materials on SlideShare.

January 9: HEISC (Higher Education Information Security Council), Town Hall. Recording available.

January 30:  Bullet Proofing Your Career Online (with Hannah Morgan, @careersherpa), ABCPNG (Always Be Connecting Power Networking Group), First Unitarian Church, Rochester, New York

Description: What are the 10 key steps to building and securing your online reputation? A security professional and a career sherpa provide their perspectives on how to create an online presence that enhances and promotes your career safely and effectively.

April 23rd: Bullet Proofing Your Career Online (with Hannah Morgan, @careersherpa), STC Rochester Spectrum Conference, Rochester Institute of Technology, Rochester, New York

April 24th: Leadership Day, STC Rochester Spectrum Conference, Rochester Institute of Technology, Rochester, New York

Facilitating the event and the panel discussion

May 17: Engage! Creating a Meaningful Security Awareness Program (with Cherry Delaney, Purdue University), EDUCAUSE Security Professionals Conference 2012, Indianapolis, IN

 Abstract: This session will help attendees identify available resources and tools and determine the steps needed to create an engaging security awareness program. We’ll share how to integrate social media, video and other resources in an effort to reach a variety of audiences. We’ll also discuss how to leverage security incidents to create opportunities for engagement with your community. We’ll conclude the session by helping you plan a series of targeted activities for a high profile event such as the National Cyber Security Awareness Month.

May 20: Communications Liftoff! Rocketing your Community to the Stars, Leadership Day progression, STC Summit, Rosemont, IL

May 21: Bullet Proofing Your Career Online (with Hannah Morgan), STC Summit, Rosemont, IL

May 23: Shockproofing Your Use of Social Media 2012, STC Summit, Rosemont, IL

Description: Lightning Talk. What are the top ten ways to shockproof your use of social media? What’s new for 2012?

Making Information Security Fun

I shared this presentation at the October program meeting of the Rochester Chapter of the Society for Technical Communication. The presentation demonstrates how the Information Security Office at the Rochester Institute of Technology used marketing techniques to reinforce key messages to raise awareness around information security concerns such as phishing.

To see more about how we’re using blogging to raise awareness in a specific academic course, visit the RIT Cyber Self Defense blog.

Ten Ways to Shockproof Your Use of Social Networking Lightning Talk

I had the privilege of presenting my 25-minute presentation on Shockproofing Your Use of Social Media as a five-minute Lightning Talk at the STC Summit in Sacramento on May 18th.

Lightning talks introduce an additional element of stress for the presenters: the slides advance every 15 seconds whether they’re ready or not. Our audience was ~150 Summit attendees, so we were presenting to our peers as well.

It’s quite the experience sharing the stage with eight other presenters with totally different styles. Would I do it again? In a heartbeat!

Other STC Summit 2011 Lightning Talks

• Robert Armstrong, Don’t Suck at Social Media
• Liz Fraley, Don’t Sell Yourself Short
• Alan Houser, Myths, Fallacies, and Lies in Technical Communications
• Brenda Huettner, Lighting Design, Terminology and Audience Analysis: Succeeding without Winning
• Bill Swallow, Advice from the Trenches on Building Online Communities

Digital Self Defense for Technical Communicators, Part Three

Digital Self Defense for Technical Communicators was first published in the Society for Technical Communication‘s Intercom magazine in November 2010.

How We’ve Communicated These Concepts at RIT

Higher education is a mix of cutting-edge and legacy computing systems. Unlike many large companies, most universities and colleges continue to use computing equipment well past its retirement age. At the other end of the spectrum, faculty and students always want the newest technology available. Securing such a heterogeneous environment is a challenge. With limited resources, RIT needed to find a way to reach a large user population that may be indifferent to security issues. Even worse, these users might consider themselves to be “experts,” especially because this is a technology university that attracts some of the brightest students.

To communicate digital security issues to RIT students, faculty, and administrators, we used standard communications vehicles such as a series of brochures on Internet safety topics and computer security requirements, email alerts and advisories for specific threats, and an RIT Information Security website containing electronic copies of the materials. We also used some more innovative methods, such as classes, social media, and community discussion and messaging.

Digital Self Defense

We developed a series of Digital Self Defense classes that we offered to faculty and staff. We advertised these classes through email, using every cliché about safe Internet use that we could think of. The initial class, “Introduction to Digital Self Defense,” was instructor led and primarily a presentation with discussion. In that class, we focused on communicating desktop, portable computer, and password standards. We also discussed safe Internet use.

New Student Orientation

Although the Digital Self Defense classes developed a strong following among faculty and especially staff, it was not an appropriate vehicle for reaching students. Recognizing that security awareness is a multi-year project, we developed an “up tempo” presentation to focus on three areas of concern to students: Safe Computing, Illegal File Sharing, and Safe Social Networking.

We discussed the various technical requirements for using computers at RIT after setting the stage by talking about the various threats students might face and the role of organized crime in creating malware. We incorporated video resources that illustrated key concepts or provided a “friendly” way to introduce concepts that we knew would be hotly debated by the students, such as illegal file sharing. To help students understand the need for safe social networking, we discussed examples of risky student Internet behavior at RIT and other universities. We also used videos to reinforce the importance of being selective about what information you place online.

Social Media

We established Facebook and Twitter accounts for the RIT Information Security Office designed to reach students. To build our fan base, we advertised the site through posters and emails, and we kick off each fall by entering students who become fans of the RIT Information Security Facebook page in a drawing for a $100 gift card. Over a three-year period, we gained almost 4,000 fans. We used the Facebook page to post articles about safe social networking and to engage fans in discussions about information security issues.

RIT's Information Security Office mascot, Phishy, with Ritchie the Tiger

Phishing

Over the past couple of years, higher education has seen an increase in phishing attempts, known in the industry as “spear phishing.” Spear phishing targets a specific group of individuals by crafting emails or other “bait” that appear to come from a known and trusted source, such as a school’s information technology department. In 2009, RIT saw a string of phishing attempts that had, from our view, a success rate that was unacceptable. (As much as we’d like to block all phishing attempts and train our community to recognize and ignore such password requests, someone always falls for a well-crafted phish.)

Unsure of how best to combat the threat, we formed a team of our best information technology thinkers to address the issue. We chose a multipronged approach with both technology and people initiatives. We increased our email alerts and advisories to inform the community of the problem. Our Information Technology Services organization began prepending a warning message to all incoming emails that contained the word “password” in the text. However, we knew that this wouldn’t be enough to solve the problem. In conjunction with a poster campaign adapted from Yale University, our student employees wore a fish costume around campus; “Phishy” was an instant hit. Phishy reminded students to never respond to requests for their passwords. Although we haven’t been able to stop everyone from responding to phishing attempts, we usually see only a few people respond now.

Lessons Learned

Different messages require different vehicles. Faculty and staff may still use email as a primary means of communication. Students, however, get much of their information from social networking, so that’s where we need to be to reach them.

REFERENCES

“Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids.” (www.theonion.com/video/facebook-twitter-revolutionizing-how-parents-stalk,14364/).

Moscaritolo, Angela. “InfoSec: 23 percent of users fall for spear phishing.” SC Magazine. 9 March 2009. (www.scmagazineus.com/infosec-23-percent-of-users-fall-for-spear-phishing/article/128480/).

Nation, Joe. “Facebook Mini Feeds with Steve.” (www.youtube.com/watch?v=w35cFqG4qLk).

RIT Information Security website (http://security.rit.edu).

RIT Information Security Facebook page (www.facebook.com/RITInfosec).

“Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves.” 14 August 2007 (http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html).

Related articles

• Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks (pcworld.com)
• Phishing emerges as major corporate security threat (deurainfosec.com)