Skip to main content

Digital Hygiene: How to beat users with the security best practice stick and not alienate them

Fact 1 of Cyber Security Club: Users are the weakest security link.

Fact 2 of Cyber Security Club: Users are always the weakest security link.

Fact 3 of Cyber Security Club: Who the frell needs users anyway?

(Feel free to enlarge the above and use it as a poster for your office. You know you want to.)

As CyberSec professionals (or even those in training), we know tips and tricks to keep our digital identities clean and reasonably secure. We know the importance of good password practices (passphrases are very good, randomised character strings of 8 characters or more is the least you can do), of clearing caches and cookies (if you have to accept cookies in the first place), and not clicking on anything that screams in loud, epileptic-fit-inducing, flashing colours “click me”. These things are the least of our knowledge, to the point that we forget, that somehow, they are not common knowledge. 20+ years of the internet being common, and people still think that 50 toolbars are a good idea, especially when you’ve got not 1, not 2, but 3 anti-virus programs running. I’ll pause here while the collective smack of foreheads against desks takes place, and you all run to get some paracetamol for the resulting headache.

Better?

We all know at least one such person in our personal lives, and n + 1 such people on a professional basis. They frustrate not just our patience, but our functions on a daily basis. So what can we do? I’ll rephrase that question, as Simon Travaglia’s creative solutions are barely (if ever) legal. How do we go about educating these users, without suffering the repercussions of complaints, confusion, and long-winded speeches beginning “But it used to be so much easier when”? Put the cattle-prod down, take a deep breath, open a new email, and find the c-suite addresses.

This is where you have to begin your education programme; the c-suite. Sway them, and your words are backed up. This is important, because we all know that one person in the ranks who knows someone high-up to complain to, and when it happens, that useful and necessary policy/procedure rollout you spent 6 months on is scrapped and your effectiveness is vaporised. Get to the top tier first, get their backing, and half your work is done.

The other half of this battle is actually educating your users. Yes, that means actually interacting with them, possibly even - *gasp* - in person. This might end up being more difficult than finding an ally upstairs, as users tend to be resistant especially when faced with changes that make their job “so much harder”. My favoured tactic would be to explain to them, in no uncertain terms, that should there be a breach or data leak, and the investigation pointed to them being responsible by clicking on something or having a weak password, I would make it my mission in life to make that as well-known as possible as it would be their fault, and security is everyone’s responsibility. Unfortunately, I have been repeatedly informed that this is bullying. My response of “But it’s true” apparently doesn’t count for anything.

Users already know the consequences of weak security; they see it in the media all the time. What they really need is a demonstration of just how they fit in to security, instead of thinking that’s the IT department’s job. Just having the User Access Policy and password requirements isn’t enough, because we all know that dictionary words and children’s names still end up as passwords. What I propose instead, is every few months, an hour or two should be set aside for a demo. Ideally this should include a live hacking demonstration, using a weak password, a convincing phishing link. Show them how they can be the weak link in the security chain. Then educate them.

But what do they really need to know?

First off, talk about passwords. Passphrases with lots of special character and numeric substitutions are more secure, and more memorable, than November12!, for example. Using different passwords for everything is crucial (showing them this site is a great way of reinforcing this idea).

Next, a talk about emails and phishing is needed. Users should be taught how to identify genuine and fraudulent email addresses and be told how to report them. Yes, you might have email filtering rules tighter than a duck’s behind, but things slip through. Give them a cheat-sheet to keep at their desk of the domains you own, and those of the companies you deal with the most. This will help keep them alert and keep their minds more security-focused.

Give them a run-down of browser cleaning, too; how to clear their cache, history, cookies etc. Give them some information they can use in their home lives as well as in the office; if they can apply it elsewhere, they are more likely to apply at work.

Another thing to talk to them about would be why some of your controls seem stringent, especially when compared to other places they’ve worked or what they used to be like. Let them ask questions and answer the best you can. Working with users takes a little more patience but is better than battling them. If you can help them understand the why, they will happily comply.

This was a wordy blog this week, so here’s the TL;DR version: user are only stupid because they don’t know any better: teach them. Also: get the top bosses to help.
Labels:

Comments

Post a Comment

Popular posts from this blog

Logical Fallacies - Why do they matter?

I came across a wonderful poster image by a talented artist, Michele Rosenthal , which depicts a robot debate: Granted, these aren't all the logical fallacies that exist, but it covers the most obvious, and most abused ones. But why are they important? We currently live in an age where we have access to more information that at any other point in history, and yet somehow we still think that arguing from emotion, or with our cognitive dissonance blinders on, is both right and acceptable: it isn't, not by any stretch of the imagination. Postmodernism may have a place, but not here. Yes, you absolutely are allowed to feel they way you want to, but debates are places for facts and ideas that need to be scrutinised rigorously, not with playground threats and character assassinations. "I feel" is not an argument that belongs in a debate - your feelings are valid for you, yes, but you can not simply refute the evidence-based assertion of vaccinations work with the st...
Post a Comment
Read more

The Ancient and Venerable Art of Google-fu

Other titles considered for this post: How Not To Piss Off Entire Forums and Facebook Groups; Avoiding the Banhammer; Stop Being Lazy and Look it Up Yourselves. Before you can embark on a career in, well, anything even vaguely IT related (or do practically anything), you must master one crucial skill: information searching. In the days of yore, and even rumoured to still exist despite budget cuts, there were in of cult of specialists in this area, who guarded their domains jealously: the librarians. These knowledge-fanatics could divine what you were looking for from the ridiculously poor and mumbled explanation you gave them, then translated that into a secretive code which led you to a shelf in a library, and then to the book you were after. Just like magic. These days, while librarians are still a vitally important part of cataloguing knowledge, we also have another, less mystical, tool at our fingertips: the Search Engine. Unfortunately, very few people have bothered to le...
Post a Comment
Read more

It's all about the angles

I could describe the surroundings for you perfectly, down to the way the grain went on each of the wood panels on the floor, I could talk to you at great length concerning the cobwebs knocking at my door or the baying crane flies attacking the windows, baying for the bleeding luminescence seeping from the screen. I could go so far as to describe each and every instrument playing on the track I was listening to, the perfectly clear Irish lung-pipes of Cara Dillon’s songbird vocals. But I won’t, because none of that matters, at least not in this context, or perspective. It all comes down to angles you see. Not the angles of everything around us, but our angles. The tilt of the head to listen more intently, the hunch, or straightening of the back to become comfortable. The adjustment of glasses to see an image properly, or in this instance, to see the image no-one else may have seen. It doesn’t take much to shift your physical perception of anything, but it opens up a myriad new worlds, ...
Post a Comment
Read more