Personal Security Habits – Looking Inward

Personal Security Habits – Looking Inward

I mentioned to a few industry colleagues that I’m taking some security awareness training and was met with a round of snickers and snark. In my peer group this is typical. However, reflecting on my 23+ years of IT and security experience, I know better than to believe anyone is so good at their job they don’t need an occasional security awareness best practices refresher. I’ve seen some serious cybersecurity breaches as a result of “simple slips” – from receptionists to managers to the C-Level.


Here are some examples:


  • Thieves broke into a manager’s home because he was posting pictures of his three-week family vacation (while he was on it) all over social media.
  • A Senior Vice President touched off a massive spyware infection while she was looking for travel deals and accidentally clicked a malicious advertisement. The “travel brochure” she downloaded was a Word document with macro malware.
  • Even IT and security professionals can fall victim to cyber threats and are often targeted by cybercriminals. I got an email a few weeks ago that was so sophisticated I had to call the spoofed company to validate that it was indeed a phishing email.


While phishing remains the most widely exploited threat vector for cybercriminals, the scenarios above illustrate that email security is only one layer of an organization’s security posture.


A friend in the IT industry recently told me he was having to fix more than 200 computers due to a massive ransomware attack on a company he was supporting. On site, he saw passwords taped to screens, found confidential documents left out on desks and passed several unlocked, unattended computers. The company paid a huge price for its lax attitude toward cybersecurity.


Every individual’s awareness and behavior contribute to an organization’s security. While routine awareness training may seem remedial to many of us, the truth is you can’t just rely on common, established behaviors or common sense. Threat actors understand these behaviors and that’s what they’re counting on. Instead, we need to examine our roles and look to focusing, even refocusing, on training for our specific roles and security responsibilities. This renewed inward focus can help determine what aspects of security each of us is overlooking in our work and personal lives.


Some quick examples:


  • Developers: I found some code on stackoverflow that solves a big problem. However – is that code secure? Are there obvious attack vectors I should have closed before using it? Did I even think about that?
  • System Admins: Am I reviewing my logs daily? Did I close those accounts when users left the organization?
  • C-Level Executives: Was that Facebook post really meant to be public or should it have been shared privately? Did I need to go that in-depth on our latest project when meeting with our vendors?
  • All Users: Should I take every email at face value or should I look at it with a more critical eye before I react?


It’s important to remember there are lots of tricks in the attacker’s toolbox, including social engineering, physical attacks on people and property and theft of intellectual property through data mining and data exfiltration. These “mistakes” can result from “loose code” and “bad decisions” and frequently mean significant financial losses (or worse).


After thinking about all this I headed back to my security training with a fresh perspective. What were my bad habits? What assumptions was I making and were they valid? And what example should I be setting for my coworkers?


The answer was startling, because I realized how lax I’d become through the years, which took me back to my initial reaction: Can anyone afford to think they’re so good they don’t need to consider their cybersecurity habits?


October is National Cybersecurity Awareness Month, and all of us at Optiv encourage you to think about your awareness levels and behaviors. No matter how great a job you’ve been doing, a little brush-up can only benefit you and your organization. We’ve put together a suite of resources to help promote better cybersecurity practices and you’re invited to download it free and share it around.

Sherman Moody is a Security Awareness Training Specialist at Optiv. He serves as a technical instructional designer for Optiv’s security awareness training courses and assists the team in creating role-based training courses for IT administrators, developers and security professionals. Sherman holds a master’s degree in Information Technology and Computer Science and has more than 20 years of IT/Security experience. He previously held roles as a security and technical application instructor and IT analyst.