Skip to main content

Personal Security Habits – Looking Inward

October 04, 2019

I mentioned to a few industry colleagues that I’m taking some security awareness training and was met with a round of snickers and snark. In my peer group this is typical. However, reflecting on my 23+ years of IT and security experience, I know better than to believe anyone is so good at their job they don’t need an occasional security awareness best practices refresher. I’ve seen some serious cybersecurity breaches as a result of “simple slips” – from receptionists to managers to the C-Level.

Here are some examples:

  • Thieves broke into a manager’s home because he was posting pictures of his three-week family vacation (while he was on it) all over social media.
  • A Senior Vice President touched off a massive spyware infection while she was looking for travel deals and accidentally clicked a malicious advertisement. The “travel brochure” she downloaded was a Word document with macro malware.
  • Even IT and security professionals can fall victim to cyber threats and are often targeted by cybercriminals. I got an email a few weeks ago that was so sophisticated I had to call the spoofed company to validate that it was indeed a phishing email.

While phishing remains the most widely exploited threat vector for cybercriminals, the scenarios above illustrate that email security is only one layer of an organization’s security posture.

A friend in the IT industry recently told me he was having to fix more than 200 computers due to a massive ransomware attack on a company he was supporting. On site, he saw passwords taped to screens, found confidential documents left out on desks and passed several unlocked, unattended computers. The company paid a huge price for its lax attitude toward cybersecurity.

Every individual’s awareness and behavior contribute to an organization’s security. While routine awareness training may seem remedial to many of us, the truth is you can’t just rely on common, established behaviors or common sense. Threat actors understand these behaviors and that’s what they’re counting on. Instead, we need to examine our roles and look to focusing, even refocusing, on training for our specific roles and security responsibilities. This renewed inward focus can help determine what aspects of security each of us is overlooking in our work and personal lives.

Some quick examples:

  • Developers: I found some code on stackoverflow that solves a big problem. However – is that code secure? Are there obvious attack vectors I should have closed before using it? Did I even think about that?
  • System Admins: Am I reviewing my logs daily? Did I close those accounts when users left the organization?
  • C-Level Executives: Was that Facebook post really meant to be public or should it have been shared privately? Did I need to go that in-depth on our latest project when meeting with our vendors?
  • All Users: Should I take every email at face value or should I look at it with a more critical eye before I react?

It’s important to remember there are lots of tricks in the attacker’s toolbox, including social engineering, physical attacks on people and property and theft of intellectual property through data mining and data exfiltration. These “mistakes” can result from “loose code” and “bad decisions” and frequently mean significant financial losses (or worse).

After thinking about all this I headed back to my security training with a fresh perspective. What were my bad habits? What assumptions was I making and were they valid? And what example should I be setting for my coworkers?

The answer was startling, because I realized how lax I’d become through the years, which took me back to my initial reaction: Can anyone afford to think they’re so good they don’t need to consider their cybersecurity habits?

October is National Cybersecurity Awareness Month, and all of us at Optiv encourage you to think about your awareness levels and behaviors. No matter how great a job you’ve been doing, a little brush-up can only benefit you and your organization. We’ve put together a suite of resources to help promote better cybersecurity practices and you’re invited to download it free and share it around.


    Sherman Moody

By: Sherman Moody

See More

Related Blogs

September 18, 2019

Einstein and Security Awareness

October is National Cybersecurity Awareness Month – NCSAM. Security awareness programs are designed to educate end-users about cyber threats and what ...

See Details

August 13, 2019

22 ways to protect yourself against phishing attacks

Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But o...

See Details

June 05, 2019

Protect Yourself from BYOT (Bring Your Own Threat)

With the increase in mobile and remote work environments, organizations can be at risk or under threat by not securing devices, access and credentials...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.