October 8, 2012 By Dan Lohrmann
Steven Spielberg is known as one of the best movie directors ever. Spielberg once said that his primary motivation for making movies was his fears and anxieties. “I had no way to sublime or channel those fears until I began telling stories to my younger sisters. This removed the fear from my soul and transferred it right into theirs.”
In the ABC Family Movie Cyberbully, Taylor Hillridge is a teenage girl who finds herself the victim of cyberbullying when she becomes a member of a social website. As the movie progresses, the significant damage that cyberbullying can cause becomes clear when Taylor tries to overdose on medication pills. Through therapy and a healing process, she learns that she is not alone.
"Cyberbully is a great jumping-off point for talking to teens about the very real dangers that exist online. The movie does a good job of working in most of the hot-button issues related to this topic, including the anonymity that exists online, the legal loopholes that enable cyberbullying, the social pressure on teens to partake in digital relationships, and the emotional devastation that bullying inflicts on its victims and their families."
Last time, I left you with the question: What actions steps can we take to improve cyberethics at home and work? In my final blog on this cyberethics topic, let’s look at what’s happening around the world with some potential examples to emulate.
Hot Example: Cyberbullying
Family examples that grab a lot of attention include cyberbullying and sexting. Parents, teachers, legislators and criminal justice agencies quickly take notice when these topics come up. To give you a sense of how significant these problems have become, just take a quick peek at this Google list of links to national and international conferences on cyberbullying.
For example, the June 2012 International Conference on Cyberbullying in Paris was their 8th meeting on the topic. The lists of members, groups, committees (and management committees), meetings, topics, newsletters, posters, presentations, upcoming events, books and training schools is enough to clearly illustrate that this problem is not going away anytime soon.
From the tragic international statistics, to the new cyberbullying bills written after teen suicides to local school board arguments, cyberbullying has become a front-line societal issue. Parents are asking: Should schools be held responsible for cyberbullying? New websites and even companies have been created to address training in cyberbullying avoidance.
Cyberbullying and sexting are just two societal examples of the wider ethical issues we are facing in cyberspace. From plagiarism to cheating on tests and from the insider threat at work to illegal hacking of identities, there is a growing body of evidence to suggest that more action is needed.
Meanwhile, cyberethics challenges at work continue to cause concerns for state, local and federal governments. As described in the first blog in this series, the intentions of employees may be good, but what is actually happening on the ground (on the networks?) How are staff truly behaving and how are policies being enforced?
So what’s being done right now regarding cyber awareness around the country?
October Cybersecurity Awareness Month
We’re in October, which means that Cyber Security Awareness Month has begun. This year, the kickoff event occurred in Omaha, Nebraska, on October 1.
A quick glance at the Department of Homeland Security’s website on National Cyber Security Awareness Month (NCASM) reveals a few themes with helpful links and information under each. Those areas include:
- Cybersecurity is one of our country’s most important national security priorities.
- Our shared responsibility online
- Do your part
But DHS is not alone. The Indiana University’s Cybersecurity center offered practical tips for awareness month, and the SANS Institute took their show on the road to Chicago to highlight important training courses. Stay Safe Online launched a helpful new website. Dark Reading also offered a list of ways to protect users online.
The Stop Think Connect campaign also celebrated their second anniversary on Thursday, with plenty of support from numerous organizations around the globe.
Despite these excellent events, websites and press announcements, Security Week proclaimed that this year’s Cyber Security Awareness Month Kicks-Off on a Blue Note. Here’s an excerpt:
“First there was the attack on the White House Military Office (which was overhyped by some media outlets), followed by the National Cyber Security Alliance’s report that 90% of Americans do not feel completely safe online.
In a survey conducted with McAfee, the NCSA’s study said that 90% of the surveyed American consumers reported that they don’t feel completely safe online. Moreover, 59% say their job is dependent on a safe and secure Internet; and 78% say losing Internet access for 48 consecutive hours would be disruptive with 33% saying it would be extremely disruptive.”
Other Cyberethics Programs
And yet, almost all of these sessions focus on security topics like changing your passwords, not reusing your passwords, phishing attacks, stopping malware and the like. So how do we practice cyberethics? Microsoft offers this “Practice Cyberethics” Website which offers a long list of do’s and don’ts.
The Socrates Institute, an independent developer and evaluator of educational programs, offers lessons on cyberethics for students. They make the case for the importance of training and list some of the reasons a cyberethics program is recommended for young people. “Activities such as hacking, cutting and pasting web text, spreading viruses, downloading music and videos, copying CDs and software are considered harmless pranks or sharing by most students. In fact, though, many of these are federal crimes, punishable by high fines, banishment from the Internet, and prison time.”
The University of Alabama offers several case studies and discussion questions for students on various aspects of cyberethics.
Back as early as 2008, some parts of California offered K-12 training that went beyond cyber safety and covered cyberethics.
The Massachusetts Government offers online cyberethics training for employees, parents and teachers which “Is designed to teach students an appropriate way to approach the difficult ethical dilemmas that arise from using the modern Internet.”
The Texas CISO also offered this newsletter on cyberethics to state employees and others, with links to a variety of resources.
Some people even believe that public schools should mandate teaching of cyberethics. Ikeepsafe.org addresses this topic by stating, “The ethical behavior of students without training or education is suspect. Students are not receiving the appropriate cyber ethics training leaving them to chance cyberspace. Today, many teachers have not received the proper training necessary to educate current cyber responsibilities to stay safe online.”
What Are We Missing? What Can Be Done?
Back in January 2007, I wrote a CSO Magazine blog entitled: Why Security Staff Struggle Implementing Cyber Ethics. The piece offered a long list of reasons why this is a very hard topic to tackle in government workplaces. One nationally-recognized security colleague even warned me before that post, “Don’t go there Dan. You can discuss cyberethics for kids but not for adults. People don’t want you to preach at them.”
The sad truth is that our cyberethics problems are much worse today than five years ago. The introduction of social media, smartphones, BYOD, cloud computing and more into the workplace have lead to a business environment where personal ethics has become the main firewall for many staff. Our new online possibilities are almost limitless, but the number of opportunities to get into trouble is accelerating in new ways as well.
The general reaction from the security industry has been to focus on “just the data stupid” without regard for the many other online ethical pitfalls. While few would disagree with the reality that better cyber awareness training is certainly needed on a wide array of corporate and personal cybersecurity topics, the identity theft headlines continue to overshadow online productivity, personal and company reputation and other cyberethics issues within enterprises.
So what actions do I recommend regarding cyberethics and cultivating an environment which encourages our staff to act responsibly and even be online ambassadors for good?
1) Incorporate cyberethics training into government and business awareness programs.
2) Discuss cyberethics with your family members. Use movies like Cyberbully to get the conversation started.
3) Review ethics policies, security policies and related computer policies at work to ensure that they are updated for our new always connected world.
4) Hold a discussion with staff regarding online ethical issues that come up at work. Discuss what they are accountable for. Talk with staff at meetings about their use of social media sites like Facebook and appropriate use of the Internet. Ask: How can we be ambassadors for good?
5) Communicate the importance of cyberethics. Use project discussions on roles regarding “people, process and technology” to ensure that everyone understands expectations and accepts responsibility for their online actions.
In conclusion, our workplace culture forms the foundation for our cybersecurity processes, procedures and controls. From the insider threat to using social media to surfing the cloud, employee actions online will inform and transform the workplace – one way or the other. Our goal should be to both enable responsible cybercitizens and challenge ourselves and our government teams to go the extra mile.
Let’s make cyberethics our ally and not our enemy. Become a cyber ambassador for good.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.