Be willing to accept inconvenience
UPDATE_ME
It's effortless to criticise the cybersecurity industry. Too easy by far. On any given day, it's a clusterfuck of grand proportions. For example:
Can we take a moment to appreciate the irony of a company called MediSecure being breached?
While ranting is a little cathartic and raises awareness, it doesn't solve any immediate issues. And let's face it, nobody likes hearing about problems.
So to be more positive, I'm going to share some solutions you won't like instead.
I want to focus on advice for tech teams and execs, but there is one thing that everyone can do to improve cybersecurity, across every aspect of the tech industry. It's even free.
So I'll start with:
Be willing to accept inconvenience
Technology teams can't implement any meaningful level of security, without inconveniencing you. Anyone who says otherwise is either stupid or selling you something. The tighter we lock down systems, the harder it is for you to use it.
This applies to everything from logging in at work, websites, socials, and even IT accessing systems like servers.
There are two security considerations that always come before things like cost, time, compliance etc:
- How secure can we make this before you won't use it?
- Obviously, there is little point in making something so secure you can't or are unwilling to use it. You might as well turn it off.
- If you won't use it, sales can't sell it. Businesses will always put security secondary to profits.
- The tighter we secure something, the harder you will fight to get around the security.
- Nobody wants their life to be any harder than it has to be. If you are forced to use a system that is a pain in the ass, you'll find a way around it. You will become our biggest security threat.
How much inconvenience you are willing to tolerate directly impacts how secure your technology is.
The inconvenience threshold is very low
Even on a good day, the greatest security threat to any given system is its tech team and its users. Nobody has their Facebook or other social account “Hacked”. You'll see lots of news articles about it like this one:
But they are complete bullshit.
Nobody is breaching Facebook's security and stealing data or credentials. They are attacking you because your security practices are shit. In an attempt to avoid inconvenience, you expose your personal data, your employers' systems and force businesses to set the bar real low.
- Less than 30% of people use MFA on their accounts when it's an option
- Less than 40% of people use a password manager
- Over 60% of people use the same password for multiple accounts
The security is solid, secure solutions exist, but you don't like it. It's inconvenient.
So here's how you help yourself, and allow the industry to help you.
- Use an online password manager. Any of the usual suspects will do.
- Set complex passwords.
- If a company provides MFA of any sort, use it. MFA is going to solve 99% of your “They used my password” issues.
- Stop trying to avoid being secure!
I do sympathise. Having secure systems is a pain in the ass. It makes my day-to-day activities far harder than I would like.
If it's any consolation, I do follow my own advice.
I've got over 300 sets of credentials in my password manager and MFA enabled on any that have the option. I couldn't tell you the passwords if my life depended on it.
- All passwords are long and complex (gibberish like this “*d1a@Ci$NZWPZd2aBnNg”)
- None of them are reused
Practice what you preach
One thing that really pisses me off is seeing tech people with terrible IT security. If you can't/won't secure your own shit, what chance do you think regular users/customers have of doing it?
Take the time to clean up all your accounts and secure your devices.
- Use a password manager to lock down your credentials
- Make sure your phone has a secure lock screen and a timeout
- Make sure your laptop has a timeout and lock screen
- Stop giving your day-to-day logins admin rights on everything!
This is bare minimum stuff that shouldn't even need to be mentioned. It's your job to lead by example.
Once you've locked all that down, go inconvenience your family and friends. Yes, I know, that's about as much fun as drinking bleach. It kills me every time. They probably won't even appreciate it and don't want to hear it. Try anyway.
If we can't get our accounts and those of our immediate circle secure, then we don't have much chance with the masses. Stop worrying about ISO 27001 and go lock down your mum's email account.