Thanks to Brian Honan for pointing this set of security awareness videos on Twitter. It's from the European National Information Security Agency.

http://enisa.europa.eu/pages/ar_videos.htm

Would anyone find it useful if I could embed some of them into a page on this sight?

First of all a confession - I use Linux.

That's relevant because as a Linux user I know that an unattended computer is wide open. Never mind any Windows lock-down keystrokes, all that does is stop people from running Windows.

I can restart almost any unattended computer from a bootable CD or USB, get access to the drive and it's contents, insert a file (with virus) if I was that way inclined - which I'm not. I have Linux OS on USB sticks that boot in well under a minute.

Linux isn't a hacking tool, it just happens to be one of the many operating systems that can be run live off a CD. It's also readily available to anyone.

People need to think beyond Windows. A computer can't be secured by the operating system.

If you want files to be on the computer - and safe - encrypt them. Otherwise keep them off the hard drive.

Also bear in mend - encryption is a delaying tactic. If someone copies an encrypted file it can be opened given enough time and effort. Nothing is absolute.

These videos give good advice - but the effct is limited.

Good points, David. Nothing is absolute, for sure.

A determined attacker is going to find a way around most safeguards. I find that it can be very difficult and confusing for the average employee to be told that no safeguard is 100% reliable, but you should use them anyway. It's a mixed message that many find hard to comprehend... so they ignore it.

In general, I think it's safer to educate staff on the things they can do to reduce risk. Locking a Windows workstation won't stop a resourceful attacker, but it will stop opportunists, and the less educated attacker. I think this applies in a lot of areas.

We need to let people know what they can do to reduce risk, while at the same time letting them know that their IT department is (or should be) trying to put effective automated safeguards in place.

So, while I agree with you 100%, we need to be careful not to scare people into "securalysis". (OK, I just made up the word. I might not be the first.)

What approaches have you used that you find effective in helping people understand this paradox?

A security guy once pointed out to me that crooks are crooks because they prefer not to work. So security is creating sufficient "resistance" that crooks will go look for an easier way.

So while nothing is 100%, 50% beats nothing. You won't be the "easy" target so they'll likely go pick on someone else.

As to protecting a laptop or workstation - accept that you CANT stop someone getting on there if they are determined enough, so don't have files on there that would cause you distress if they were copied. I had a boss that referred to this as the "Globe and Mail" test ... how would you feel if this appeared in the paper.

Put "sensitive" material on removable media, and keep it on your person. If you leave the computer (the one you're using to access the files) - take the media with you. Obviously there's always a chance you could lose it so it should be backed up somewhere safe, and if it's THAT sensitive it should be encrypted.

There's no point in being paranoid about this stuff, but once you accept that there are risks it's not hard to find less risky alternatives to storing and transporting files.