I just noticed the results of a report commissioned by the Institution of Engineering and Technology (IET) called "Using Open Source Intelligence to Improve ICS & SCADA Security." The report suggests that information that engineers place on social media, in blogs, and in papers is sufficient to mount cyberattacks. In this case, the attacks involved utilities. However, it shouldn't matter what industry is front and center -- only that this may be a side door in.
The basis for the IET's concern was a survey of 250 small and midsized enterprises. Half were aware of the government's Cyber Security Strategy, and just 14% said cyberthreats were "the highest priority."
I have a question: How have you been trained/warned/advised regarding the use of social media, written papers, articles, blogs, etc. and how they relate to security? This report concentrated on the UK, but life isn't that much different on this side of the pond.
Did you receive any university-level training regarding the role of the individual in security breaches? Was this a part of the new-hire training at your company? What did you learn, and where did you learn it, as to how much information is too much? Maybe this is covered in nondisclosure agreements you sign upon corporate entry as part of an HR exercise?
If you have been trained at work, are there refresher courses from time to time to allow for new-technology discussions? I'm not really talking about those of you who have a laundry list of security clearances, but the rest of you who could do some harm with no intent on your part.
In your opinion, are companies relying on the high level of engineering skills that you learn in school to keep the systems and devices that you design secure? And is there room for ongoing training as to the engineer's evolving role in security?
I have lots of questions, it seems -- hopefully, you have opinions, and you'll share.