This year’s Cyber Awareness Month has once again, seen some great articles, tips and practical advice that we can share with our colleagues, friends, family and children. Actively encouraging a positive security aware culture is a vital part of what we do as security professionals, and we should always be seen to be setting the right example; shouldn’t we? I twist the statement into a question here as I have sometimes been both perplexed and disappointed to discover that certain people who appear to quite fluently ‘speak security’ and rather convincingly talk the talk of good practice, don’t always seem to be walking quite the same walk. Suggesting that for some at least, security is perhaps less of a mind-set and more a sensible choice of shirt and tie they feel they should be wearing when the occasion (or customer/manager/auditor) requires. Human nature can be a strangely selective and compartmentalised thing at times. No doubt we have all come across examples of this ‘security hypocrisy conundrum’ or put more bluntly, sending blatantly mixed messages to the wider world through behavioural inconsistency. Whether it be the hurried and unverified web-meeting invites that look to all intents and purposes rather similar to the phish messages that we (and often the sender themselves) are busy warning people not to touch; or whether it’s those who are not applying quite the same diligence to patching their increasing armoury of personal devices as they would expect to be applied within their corporate environments. Instances can be found lurking in all sorts of shadowy corners, ranging from the smallest peccadilloes to the most jaw dropping “really?!? … shouldn’t she/he know better?” type howlers. The real point here, however, is absolutely not one of negative finger pointing, rather it is one of promoting genuine, day-to-day good practice, wherever and whatever the occasion may be. Being actively switched on and vigilant about security 24/7 is not always going to be the easiest, quickest or most popular option, particularly when life already has enough challenges of its own. But as our business and personal lives continue to blur, our digital footprint grows and new ‘wonders,’ such as IoT, inevitably move in (whether we have invited them to or not), it becomes more important than ever to not leave the security hat behind at work of an evening. It may be a crude analogy but effective security really is an awful lot like driving in this respect. You can do both of them very diligently and/or get lucky every day of your life. But that one time, when you aren’t paying quite enough attention and your luck has rather inconsiderately deserted you, is also the one occasion that you are likely to wish you could take back and do differently. To err is human and even cyber security folk are after all human too but as the professionals in this field, there is rightful expectation we should be making every effort to at least swallow our own medicine. Attention to detail matters, even for the smaller items – whether that be changing the default credentials on that new home router or putting a sensibly short screen lock timeout on your tablet before traveling. Whilst at times this may be to the amusement (or irritation, depending on the circumstance) of our friends, family and colleagues, it doesn’t necessarily mean coming across as the pious, dour, paranoiac either. We need to practically demonstrate, as well as profess, that good security is there to protect and preserve the things we like, rather than inadvertently end up perpetuating the myth that it’s some awkward and mysterious barrier to them. As the expert, it is actually our duty to not just be actively applying what we know at each and every opportunity but also sharing it wherever we can. We certainly shouldn’t ever assume that those for whom security is not necessarily a speciality simply ‘won’t understand.’ People with a general interest in their tech can actually be rather chuffed when you show them some hidden tip for securing what is of value to them. They will often then enjoy sharing this new found savvy off to their own peers, who in turn share it and so on. Talking to people whoever they are as grown-ups definitely helps, even and especially the young minds coming of age with an intuitive expectation and approach to digital that no one outside their own generation will really grasp. Even those with no interest whatsoever in how their tech works but just as much of a dependency on what it does in their everyday lives will often appreciate some friendly advice. After all, intuitive end-user security is getting better all the time. Whether its consumer grade biometrics in the form of thumbprint device unlocks, 2FA via one of the easy to use online authenticators or free password managers; with the right nudging there are many ways we can help defeat the ‘Password1234 used everywhere’ syndrome. Most modern operating systems, anti-virus and (the well written) applications have also generally speaking become so much better and more seamless at updating themselves. This means that there is no longer quite the same motivation for consumers to actively attempt neutering such fundamental functionality on their devices. They may just need someone to check that the right buttons and sliders are still all as they should be from time to time – particularly after their kids may have got hold of them! Much has already been written this month in the way of good advice already and if you have not done so, please take time to read these succinct and helpful Cyber Awareness 2015 related State of Security blogs by Bob Covello, David Bisson and, of course, all year round there is always Gov.uk's own Cyber Streetwise. Many people who read this blog will have responsibility for securing large, possibly global environments with intricate, mission critical systems and be treating significant risks with wide reaching impacts. They will therefore know only too well that the bigger picture behind the scenes is indeed, far more complex. But that doesn’t mean any of us should sniff at or demean the ‘small stuff’ either, particularly within our own personal spaces. If done right and often enough all of these quick wins can play their part in creating a safer, wider cyber ecosystem for everyone. If frequently ignored then we should perhaps equally consider the notion of ‘death from a thousand cuts.’ What we cannot in any way be seen to be doing is arrogantly operating with double standards, perceived or otherwise. Cyber Awareness Month provides a fantastic opportunity everywhere to do a bit more than usual in the way of coms and get those key messages out there to the widest possible audiences. However, it’s often the choices and actions we take in our day to day lives which end up making the deepest and most lasting impressions to those around us. So let’s just please be sure to positively and consistently practice what we preach to our staff/customers/users/readers/conference attendees, every month.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
