You're never too old - or too young - for a little security education

The bad guys are winning, and a crisis of trust faces this industry. I have no hard and fast data to back me up, it's just a gut feeling that I no longer feel "secure" on the Internet, no matter how many upgrades to my firewall and antivirus software I am packing. I would not access my bank account online if my credit rating depended on it because, frankly, I reckon it does. Spy software, key-logging programs could be sitting on my PC right now, and neither I, nor Windows and McAfee would know.

I count myself lucky because I know the dangers. I also get to see the data on the numbers of mugs on a home PC who have been duped by phishing scams, fallen foul of viruses or even had their PCs hijacked. The occasional conversation with Graham Ingram, the head of AusCERT, or Alistair MacGibbon, chief of the Australian High-Tech Crime Commission (AHTCC), are sufficient to scare the hell out of me, too. [MacGibbon recently traded in his badge at the AHTCC for an executive security position at eBay. - ED]

Others are not so fortunate. The commitment of society and industry to educate PC users on the bear-traps and raids of malicious code across the Internet is pathetic. We spend too much talking to ourselves - this column being a classic example of that - or engaging with bureaucracy such as federal government without pausing to gauge the degree of education in the wider community.

CIOs have a role to play. Too few organizations have even a security policy and education of the workforce is sporadic at best.

Some of the largest Australian organizations, especially banks, are taking the problem seriously and have appointed a chief security officer (CSO). An executive-level commitment to staff education on IT and data security does more than contribute corporate wellbeing. Such initiatives can also highlight the issues for an unprotected PC at home, which contributes significantly to the proliferation of viruses and spam.

Currently, industry, government and media make a lot of noise about the importance of security but rarely pause to check if anyone is listening. The growth of viruses and malicious attacks, as cited by AusCERT, suggests we're getting little cut-through.

This point struck home with me recently when I asked my 10-year-old son (the recipient of a far-too-expensive private education) what he did in the two hours a week dedicated to "computer class". "Nothing much," he mumbled, typical of a boy of his age. "We just play around with PowerPoint, go on Google and find out facts, or check out cool videos and Korean fighting games."

Do you learn anything about security or viruses? "No." Sure? "Yeah."

According to Peter Coroneos, the passionate chief of the Internet Industry Association (IIA), no state education authority insists on security education being part of a curriculum. We are happy to show students how to do dot-points on Bill's slideshow software, but we don't talk about identity theft, hacking or viruses.

"Large businesses are well served," Coroneos says, "but if you go down the food chain then the quality and quantity of education gets thinner. There is no simple, non-technical place to go to get this information."

The IIA has its own security portal, built on the back of a $200,000 federal government grant and promotional packages from vendors and ISPs valued at $1 million. Even so, Coroneos laments it is not a destination that a home PC user, or a child, would seek out.