Every year, in October, we celebrate National Cyber Security Awareness Month.
Normally, I‚Äôm dismissive of anything with the word ‚ÄúCyber‚ÄĚ in it. This is no exception ‚Äď the adjective ‚Äúcyber‚ÄĚ is a manufactured word, without root, without meaning, and with only a tenuous association to the world it endeavours to describe.
But that‚Äôs not the point.
And I do it from a very basic level.
This is not the place for me to assume you‚Äôve all been reading and understanding security for years ‚Äď this is where I appeal to readers with only a vague understanding that there‚Äôs a ‚Äúsecurity‚ÄĚ thing out there that needs addressing.
This first week is all about Information Security ‚Äď Cyber Security, as the government and military put it ‚Äď as our shared responsibility.
I‚Äôm a security professional, in a security team, and my first responsibility is to remind the thousands of other employees that I can‚Äôt secure the company, our customers, our managers, and our continued joint success, without everyone pitching in just a little bit.
I‚Äôm also a customer, with private data of my own, and I have a responsibility to take reasonable measures to protect that data, and by extension, my identity and its association with me. But I also need others to take up their responsibility in protecting me.
This year, I‚Äôve had my various identifying factors ‚Äď name, address, phone number, Social Security Number (if you‚Äôre not from the US, that‚Äôs a government identity number that‚Äôs rather inappropriately used as proof of identity in too many parts of life) ‚Äď misappropriated by others, and used in an attempt to buy a car, and to file taxes in my name. So, I‚Äôve filed reports of identity theft with a number of agencies and organisations.
Just today, another breach report arrives, from a company I do business with, letting me know that more data has been lost ‚Äď this time from one of the organisations charged with actually protecting my identity and protecting my credit.
While companies can ‚Äď and should ‚Äď do much more to protect customers (and putative customers), and their data, it‚Äôs also incumbent on the customers to protect themselves.
Every day, thousands of new credit and debit cards get issued to eager recipients, many of them teenagers and young adults.
Excited as they are, many of these youths share pictures of their new cards on Twitter or Facebook. Occasionally with both sides. There‚Äôs really not much your bank can do if you‚Äôre going to react in such a thoughtless way, with a casual disregard for the safety of your data.
Sure, you‚Äôre only liable for the first $50 of any use of your credit card, and perhaps of your debit card, but it‚Äôs actually much better to not have to trace down unwanted charges and dispute them in the first place.
So, I‚Äôm going to buy into the first message of National Cyber Security Awareness Month ‚Äď and I‚Äôm going to suggest you do the same:
This is really the base part of all security ‚Äď before doing a thing, stop a moment. Think about whether it‚Äôs a good thing to do, or has negative consequences you hadn‚Äôt considered. Connect with other people to find out what they think.
I‚Äôll finish tonight with some examples where stopping a moment to think, and connecting with others to pool knowledge, will improve your safety and security online. More tomorrow.
The most common password is ‚Äú12345678‚ÄĚ, or ‚Äúpassword‚ÄĚ. This means that many people are using that simple a password. Many more people are using more secure passwords, but they still make mistakes that could be prevented with a little thought.
Passwords leak ‚Äď either from their owners, or from the systems that use those passwords to recognise the owners.
When they do, those passwords ‚Äď and data associated with them ‚Äď can then be used to log on to other sites those same owners have visited. Either because their passwords are the same, or because they are easily predicted. If my password at Adobe is ‚ÄúThis is my Adobe password‚ÄĚ, well, that‚Äôs strong(ish), but it also gives a hint as to what my Amazon password is ‚Äď and when you crack the Adobe password leak (that‚Äôs already available), you might be able to log on to my Amazon account.
Creating unique passwords ‚Äď and yes, writing them down (or better still, storing them in a password manager), and keeping them safe ‚Äď allows you to ensure that leaks of your passwords don‚Äôt spread to your other accounts.
There are exciting events which happen to us every day, and which we want to share with others.
That‚Äôs great, and it‚Äôs what Twitter and Facebook are there FOR. All kinds of social media available for you to share information with your friends.
Unfortunately, it‚Äôs also where a whole lot of bad people hang out ‚Äď and some of those bad people are, unfortunately, your friends and family.
Be careful what you share, and if you‚Äôre sharing about others, get their permission too.
If you‚Äôre sharing about children, contemplate that there are predators out there looking for the information you may be giving out. There‚Äôs one living just up the road, I can assure you. They‚Äôre almost certainly safely withdrawn, and you‚Äôre protected from them by natural barriers and instincts. But you have none of those instincts on Facebook unless you stop, think and connect.
So don‚Äôt post addresses, locations, your child‚Äôs phone number, and really limit things like names of children, friends, pets, teachers, etc ‚Äď imagine that someone will use that as ‚Äėproof‚Äô to your child of their safety. ‚ÄúIt‚Äôs OK, I was sent by Aunt Josie, who‚Äôs waiting for you to come and see Dobbie the cat‚ÄĚ
Bob‚Äôs going off on vacation for a month.
Just in case, while he‚Äôs gone, he‚Äôs left you his password, so that you can log on and access various files.
Two months later, and the office gets raided by the police. They‚Äôve traced a child porn network to your company. To Bob.
Well, actually, to Bob and to you, because the system can‚Äôt tell the difference between Bob and you.
Don‚Äôt share accounts. Make Bob learn (with the IT department‚Äôs help) how to share portions of his networked files appropriately. It‚Äôs really not all that hard.
I develop software. The first thing I write is always a basic proof of concept.
The second thing I write ‚Äď well, who‚Äôs got time for a second thing?
Make notes in comments every time you skip a security decision, and make those notes in such a way that you can revisit them and address them ‚Äď or at least, count them ‚Äď prior to release, so that you know how badly you‚Äôre in the mess.