by Ross Moore, IT Security Analyst
Cyber hygiene. Cyber security. Cyber resilience. Cyber-attacks. Cyber warfare. The list of cyber worries keeps growing—and now people have cyber fatigue. By cyber fatigue, I mean people are, simply, sick and tired of hearing about cyber-anything. With so many hacks and bugs and phishing schemes in the news, how do we combat cyber fatigue?
Replace fear with reality
One way is to stop scaring people. So much of what’s written about cyber security centers around two ideas: we’re all getting hacked all the time, and there is no hope. Stories with these themes are detrimental to the cause of helping people secure their digital lives – it’s gloom-and-doom, offering little by way of protection or remediation. Yet the average person doesn’t know what to look for in a reliable source; the “news” is all they have, and the result is typically fear (run away) or giving up (act like it’s hopeless).
The actual focus of information technology (IT) security professionals is not well-represented in mainstream news. There are, however, plenty of articles and books that take a well-reasoned approach, combining both warnings and how to combat threats. It is a good idea for business leaders and the public at large to focus on those.
Focus on education
A second way to combat fatigue is proper cyber education. Every era has its own educational standards, dating back to the The New England Primer of the colonial era. Today, the medium (e.g., book, workshop, streaming) varies with the industry, whether finance, health and wellness or building materials.
Each company needs to provide their employees with a primer for basic cyber security (or, more specifically, information security, or infosec) education. One might think that we need a single Information Security Primer, but there are actually many out there. With the decentralization of information wellsprings, there is a myriad of reputable sources. A couple of problems with picking a primer are: 1. choosing a reliable one, and 2. sticking with it even when apparent better ones come along.
It’s vital to understand that information security is part of everyone’s daily life. If you have a bank account, you need to know cyber security. If you provide or participate in online training, you need it. Even if you receive paper bank statements, you need to shred them – that’s part of information security.
Security is something that each of us already practices every day. We lock our doors and windows. We make sure bystanders don’t overhear our private phone conversations. We install smoke detectors and mount fire extinguishers. Companies need to help their employees and families see how infosec is as essential to their everyday existence as the key to their front door.
At Black Hat this year, Alex Stamos, CSO of Facebook, said “We punish imperfect solutions in an imperfect world.” He was speaking of IT security solutions, but the same applies to you, your employees, and your customers in learning to stay safe in the office and at home. We need to learn, but we also need to accept the learning curve. While there are several straightforward solutions to securing our digital lives (both personally and professionally), we let the immediate and imperfect solution take a backseat as we instead look for a glamorous, highly-prized, “perfect” (i.e., costly) solution. In the meantime, data is at risk.
According to Beazley’s July Breach insights report, about 74 percent of breaches in the Financial Services industry were due to a failure to adopt recognized best practices. Criminals typically take the easy route. Many of the attacks and breaches haven’t been because of brilliant expertise, but effective strategies, such as social engineering and simple password guessing (not even password cracking or breaking). They’re not planning a full assault on a large company; they’re seeking a targeted attack. For example, one of the reasons Sony got hacked in 2014 was because the former CEO’s domain password was “sonyml3” – a security failure on the part of many.
While an organization is looking for a perfect cybersecurity solution, hackers can attack a simple vulnerability. We need to start educating people in “imperfect” ways, using teachable moments like the Sony hack as opportunities to highlight particular aspects of data safety and security. The more we show people that infosec is ubiquitous, learnable, and necessary, the better off we all are— so that our companies, employees, and their families are safe.
So as not to be guilty of what I accuse others of doing – pointing out a fault, yet not providing any solutions – here are just a few resources (both paid and free):
- OUCH! – Freely redistributable monthly newsletter for non-techies
- com – A free service that will notify you if your personal and/or work emails used to sign up for certain services (e.g., LinkedIn) were involved in a breach. (After such a notification, you should change your password to that account).
- Hacked Again! – Book about security concepts for the business professional
- Your own company security blog – e.g., PLM/ILM’s blog
- Twitter – Following security and IT Twitter feeds provides a great source of up-to-the-minute threat intel for the security professional.
- it – Resource for techies—free (but requires sign-up)
- https://cybercanon.paloaltonetworks.com/– Reading for the security professional
- com – Comics and a free iPad app to help kids learn how to stay safe online.
- Cyber Shaolin – http://www.cybershaolin.org/lessons/– Free online education for training young people in security principles