In the new year, security is going to move from the organization itself to protecting the individuals who make up the organization. Or more to the point, educating the individual as consumers about operational security with an eye toward family, finances, and self. Without this focus, breaches will continue and become worse before they become better. While governments try to ensure privacy while protecting the country from outside attack, it behooves the individual to protect their family, finances, and self. Without this security, privacy does not truly exist. In World War II, one catchphrase was “loose lips sink ships.” It is as apropos today as it was back then.
Today this means not talking about things that are private; it means not using services that broadcast your location, family status, or even health information. All of this can be taken by a thief to attack your family, finances, or self either directly or indirectly through your very public work and personal accounts.
So, it behooves the enterprise to help educate employees not just about organizational security, but also about personal and family security. I will go so far as to suggest that this is what security educators should concentrate on, as the employee will be more engaged and more apt to follow the proper practices. Why? Because few people care about protecting the organization; most only care about themselves, their family, and their money.
Once everyone starts to think with a backdrop in operational security, their situational awareness goes up, and they start to protect not just themselves and their family but also their organization. This is what I call a win-win for any organization. Employees are safer, and the bleed-through makes the organization safer. This should be the goal of every security organization for 2016.
Many breaches happen because either there are security holes in systems, or people are involved. If people are involved, such as with an advanced persistent threat, it takes just one person’s being unaware of the situation and doing the wrong thing to swing the door wide open. Spear phishing works by crafting emails and documents that the individual is likely to read. To do that, attackers need to know something about the individual and perhaps what projects the individual is working on. Loose lips in a pub, at a sporting event, or even in a restaurant could lead to the loss of the ship—the intellectual property one is trying to protect.
However, since people like sharing themselves online via Twitter and other social media groups, it has become far easier to spear phish, and therefore easier to attack people rather than systems. To combat this tendency, we need to be aware of what we say, write, and even do within our family life. The degree of protection needed for family, children, and finances is the same as that needed within the workforce. For example, recently an IT Bloke was using a cycling app that released information on the location of the gentleman’s bikes—which were then promptly stolen. The moral here is to always check your tools’ privacy settings before you install them.
We invite you to watch the Virtualization and Cloud Security video podcast on our YouTube channel. Join me, Edward Haletky, Mike Foley, and Simon Crosby as we discuss how to protect your family, finances. Geared toward the holiday season, the podcast is also valid all year round.
Give us a listen and let us know what else we should do to protect ourselves. The list so far is in my first article, but it is also reproduced here for completeness:
- If you are in a coffee shop, do not do banking or purchase something online using its Wi-Fi. (A corollary is not to bank or log in to anything from a conference center, as 3G, 4G, and LTE use repeaters that connect to the conference center Wi-Fi.)
- Do not share your big purchase (or even small-purchase items) using social media such as Twitter. This just tells thieves what you have.
- Verify your privacy settings within Facebook and other social media tools often. (As a matter of fact, Facebook just updated privacy this past month.) Review them monthly.
- Do not save your credit or debit card information in a store’s online system (such as within Amazon).
- Use a different password for each account. 1Password can actually help here. As it collects information, it will tell you how good the password is and determine which systems use the same password.
- Do not place those big or small boxes at the curb. Decompose them for disposal or recycling by placing them within the bins. Those small Apple Store boxes and bags could be just what a thief likes to see.
- Do not check in via social media from an airport, on a plane, on a train, or from another state. This tells thieves you are not home. Another good trick is to disable location services within social media programs like Twitter so no one knows your location.
- Do not talk about visits with your aunt, uncle, or other family members via social media. This could tell others that your family member’s home or yours is currently unoccupied.
- Do work out with your neighbors a plan to pick up each other’s packages. Packages out at the door are just signposts saying “please steal me” or “I am not home, so please break in.”
- This is a good time to make arrangements with your UPS and FedEx drivers and postal carriers. Get to know them, as they will help as well. If you have a lockbox for packages, it would be a good thing to let them know how to use it.
- Be aware of your virtual surroundings by not visiting risky locations. It is like walking down a dark alley.
- Do research on applications before installing them. Determine what they share before you install, use, etc.
- Do not click on everything within email. It is far better to go direct to the site via your browser than to click on a link within your email. I hover over all links to determine where they go before doing anything else but still go direct to most important sites instead of clicking on anything.
- See if your family’s data is within a breach using a service such as haveibeenpwned. Include your children in such searches as the recent VTech breach focused on children.
- Invest in credit monitoring. If you have participated in a breach, this is often provided for free for a certain amount of time, it is suggested that you continue to monitor your and your family’s credit for issues such as identity theft.