October is Cybersecurity Awareness Month, and you are undoubtedly being bombarded with some fantastic advice on how to stay cyber safe.
All the advice means well, but simply put, it all becomes a bit same-y after a while. Hover over links, verify who sent you the email, don’t send $2k worth of gift cards to a recently departed relative you didn’t know existed.
While all of this and more is good advice, I’m a firm believer in teaching principles as opposed to lists of things to do and to not do. These are the principles I believe can help anyone become more security savvy, and perhaps a more successful individual overall.
How many times have you seen a movie, or a video game where you have to sneak past a security patrol and managed it without breaking a sweat because the guards movements are completely predictable.
Criminals need their targets to be predictable. Knowing how the victim will respond gives criminals the upper hand.
Imagine an army moving in a predictable manner. The opposing troops would know exactly where the enemy will be, and at what time. Giving them enough time to prepare a trap, have a cup of tea, win the battle, and be home in time to tuck the kids into bed.
The best way is to be completely random. Reply to emails at odd hours. Sometimes answer your phone within 3 rings, and other times just let it go to voicemail to make a point.
I’m not suggesting you be unhinged, there’s a fine line between being unpredictable and unhinged. I’m not exactly sure where that line lies. But it’s there somewhere. Personally, I’d err on the side of unhinged than become a victim to a cyber criminal.
One of the biggest traits criminals seek to leverage is our natural tendency to be polite and helpful.
If you see someone struggling to open the door because they are holding several cups of coffee, we will hold the door for them. If someone looks like they belong in the office, we will leave them be, even if they aren’t wearing a badge.
It’s because of this that we hear of incidents where criminals dress up like an employee, walk into a store, smile at everyone, pick up the cash register and can walk out without one eyebrow being raised.
The best defense in these situations is to just be rude. I’m not saying you go out of the way to yell at people or use it as an opportunity to tackle your boss to the ground only to say that at a distance their pass looked fake.
But if someone walks up to the door with two coffee cups. Just shrug and say you need to see ID before you can let them in. Who cares if they get annoyed. Someone looks out of place in the office - just ask if they’re lost.
When the CEO emails you at leaving time saying that they need you to urgently send 25k worth of gift cards to secure a deal. Just reply with the meme of Dr Evil saying, “How about no.” Report it to security, smile and walk home knowing you are nobody’s PA. Even if you are the CEO’s PA, because you have boundaries.
Design Your Secure World
One reason we all fall into insecure habits is because security is often seen as a hurdle. As humans, we tend to be lazy and if we see something that even remotely resembles a hurdle, we wave our white flag quicker than the French army.
Whenever I want to go for a run in the morning, I find it easier if I lay out my running kit at night before I go to bed. That way when I wake up, I have less things to think about and can simply put on my gear and go for a run.
Similarly, think about what stops you or your colleagues from practicing good security, and design your world around it. You’ll be surprised as to how far a little bit of peer pressure will take you.
If everyone starts locking their machine when walking away from it, all of a sudden, the new person will also start doing it - regardless of whether they fully understand why. After a while, that becomes part of your company culture.
Become an Informant
The word snitch has bad connotations. If someone is referred to as a snitch, you immediately think less of them and mutter, “snitches get stitches”. But say that you’re an informant, and people will sympathize with you. After all, you’re probably putting yourself in harm’s way to ensure a criminal kingpin is locked away.
Thankfully the corporate world isn’t quite as dramatic and if you have a cybersecurity team, then absolutely report everything suspicious to them (or the appropriate team).
If you receive a strange email, forward it to them. An unexpected SMS, pass that on to them. Found a USB on your desk, give it to security. They are the ones whose job it is to determine if something is truly bad or not. You probably have better things to do than to try and forensically examine a USB drive to see if it has malware or if your laptop is sending a beacon out to North Korea every 5 minutes.
What’s the worst that can happen? The security team will simply return your email or USB or whatever it is and say it wasn’t malicious, but will thank you for your continued vigilance… and who doesn’t like to be thanked?
The four things you need to think about to become more secure and allow you to become the best version of yourself are to become unpredictable, be rude, design your world to enable security, and become a snitch.
Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!