I recently moved to North Carolina to join the team here at Avast. Since I moved from out of state, I got to go through the traditional ritual.... almost 9 hours in the DMV to get licensed to drive and vote. Granted, I may have picked a bad day to go, but at least I got a cool study guide about road signs... great reading for about three minutes.
As I skimmed the study guide, I thought to myself:
"I've been driving for 30 years and I already know what these signs mean"
Some of the signs on the pamphlet were pretty obvious by the way... what do you suppose the one that says "no parking, bus stop" means?
While the rest of the 8 hours and 57 minutes went by, I had ample time to reflect on just how long it took me to become a "good driver". I came up with a figure of about 2000 hours of driving, over 5-6 years. I felt like I was a pretty good driver at some point in my early 20s.
While the long wait for a simple license didn't make sense, the idea that people need to be tested to be fit to drive, and wrapping some process around that, provided some solace. I thought to myself...
Cars are difficult to operate, are dangerous when put in malicious or incapable hands, require training and experience to become proficient, and have potential to do a lot of damage, sometimes beyond the control of the operator.
Then I realized you could just replace the word "CARS" above with "COMPUTERS", and the sentence would still be true, especially when it comes to cybersecurity. Keeping safe from online threats requires diligence, training, and experience.
I've been working in the tech industry for my whole career. I know most of the personal security rules of the road, and have seen all kinds of real situations where I had to make choices about my online safety. Not everybody has that kind of background. I often ask myself:
- What happens when a non-technical employee joins my organization and gets handed their laptop? I bet we don't license them to use it.
- Can't a company-issued laptop be used as a dangerous weapon, and scarier, can that happen without the owner even knowing it?
- Is it even the IT person's job to make sure people know how to protect company data?
- If this responsibility does fall on the IT function, is there adequate cybersecurity training in place?
The sad perception is that IT Security should just work, and that if there's a breach, it's usually a failing of the IT function. While that may be partially true, bad habits cause a statistically significant amount of breaches, and most of them could have been prevented when proper hindsight is applied.
Do you do any of these things, or watch people do them?
- Keep post it notes with account information stuck to the monitor
- Walk away from the cubicle, and forget to lock/sleep your computer
- Let someone unknown into the building because they "forgot their key card"
- Use your work password for personal accounts, or vice-versa
- Keep a password file somewhere on your work computer
- Email company information or assets to a personal email address
I bet you're guilty of one of those. All of them are risky. I myself have been guilty of one of these in the past year. Maybe you should get our "rules of the road" infographic for better personal cybersecurity, and share it around your office
You don't have to give us any information, just grab it and pass it around:
Which leads me back to my long day at the DMV. While driving home hungry bordering on hangry, I got stuck behind a student driver. This poor kid was going 30 in a 45, scared to death, hitting the brakes just to go around gentle curves, and the whole nine.
My mind flashed back to the first time I drove my car down a city street, my hands gripping the steering wheel until my knuckles turned white, going 10 MPH under the speed limit, wishing I had the courage to go a little faster but scared to the bone to press my foot any further down on the gas.
Drive safely folks. Until next time...