Skip to main content

Digital Hygiene: How to beat users with the security best practice stick and not alienate them

Fact 1 of Cyber Security Club: Users are the weakest security link.

Fact 2 of Cyber Security Club: Users are always the weakest security link.

Fact 3 of Cyber Security Club: Who the frell needs users anyway?

(Feel free to enlarge the above and use it as a poster for your office. You know you want to.)

As CyberSec professionals (or even those in training), we know tips and tricks to keep our digital identities clean and reasonably secure. We know the importance of good password practices (passphrases are very good, randomised character strings of 8 characters or more is the least you can do), of clearing caches and cookies (if you have to accept cookies in the first place), and not clicking on anything that screams in loud, epileptic-fit-inducing, flashing colours “click me”. These things are the least of our knowledge, to the point that we forget, that somehow, they are not common knowledge. 20+ years of the internet being common, and people still think that 50 toolbars are a good idea, especially when you’ve got not 1, not 2, but 3 anti-virus programs running. I’ll pause here while the collective smack of foreheads against desks takes place, and you all run to get some paracetamol for the resulting headache.

Better?

We all know at least one such person in our personal lives, and n + 1 such people on a professional basis. They frustrate not just our patience, but our functions on a daily basis. So what can we do? I’ll rephrase that question, as Simon Travaglia’s creative solutions are barely (if ever) legal. How do we go about educating these users, without suffering the repercussions of complaints, confusion, and long-winded speeches beginning “But it used to be so much easier when”? Put the cattle-prod down, take a deep breath, open a new email, and find the c-suite addresses.

This is where you have to begin your education programme; the c-suite. Sway them, and your words are backed up. This is important, because we all know that one person in the ranks who knows someone high-up to complain to, and when it happens, that useful and necessary policy/procedure rollout you spent 6 months on is scrapped and your effectiveness is vaporised. Get to the top tier first, get their backing, and half your work is done.

The other half of this battle is actually educating your users. Yes, that means actually interacting with them, possibly even - *gasp* - in person. This might end up being more difficult than finding an ally upstairs, as users tend to be resistant especially when faced with changes that make their job “so much harder”. My favoured tactic would be to explain to them, in no uncertain terms, that should there be a breach or data leak, and the investigation pointed to them being responsible by clicking on something or having a weak password, I would make it my mission in life to make that as well-known as possible as it would be their fault, and security is everyone’s responsibility. Unfortunately, I have been repeatedly informed that this is bullying. My response of “But it’s true” apparently doesn’t count for anything.

Users already know the consequences of weak security; they see it in the media all the time. What they really need is a demonstration of just how they fit in to security, instead of thinking that’s the IT department’s job. Just having the User Access Policy and password requirements isn’t enough, because we all know that dictionary words and children’s names still end up as passwords. What I propose instead, is every few months, an hour or two should be set aside for a demo. Ideally this should include a live hacking demonstration, using a weak password, a convincing phishing link. Show them how they can be the weak link in the security chain. Then educate them.

But what do they really need to know?

First off, talk about passwords. Passphrases with lots of special character and numeric substitutions are more secure, and more memorable, than November12!, for example. Using different passwords for everything is crucial (showing them this site is a great way of reinforcing this idea).

Next, a talk about emails and phishing is needed. Users should be taught how to identify genuine and fraudulent email addresses and be told how to report them. Yes, you might have email filtering rules tighter than a duck’s behind, but things slip through. Give them a cheat-sheet to keep at their desk of the domains you own, and those of the companies you deal with the most. This will help keep them alert and keep their minds more security-focused.

Give them a run-down of browser cleaning, too; how to clear their cache, history, cookies etc. Give them some information they can use in their home lives as well as in the office; if they can apply it elsewhere, they are more likely to apply at work.

Another thing to talk to them about would be why some of your controls seem stringent, especially when compared to other places they’ve worked or what they used to be like. Let them ask questions and answer the best you can. Working with users takes a little more patience but is better than battling them. If you can help them understand the why, they will happily comply.

This was a wordy blog this week, so here’s the TL;DR version: user are only stupid because they don’t know any better: teach them. Also: get the top bosses to help.

Comments

Popular posts from this blog

This is not a New Year’s Resolution

I'm not a one for resolutions or anything, I prefer to at least try to be a bit more practical than that. Instead, now that I've had time to consider what I want to do this year, here my list of upcoming projects. Let me know what yours are: 1) Re-evaluate the website and blog, and actually keep to a posting schedule. Might help if I started using artwork/photos. 2) Social Media application for my desktop: I'm getting a bit sick of having and average of 20 browser tabs open at a time, so lets see if I can't design an app, even if it's just a fixed browser thing, I can use to track my SM activity in one place so it's not clogging up my precious browser memory. 3) Stop wasting time with my writing projects: My biggest issue here is that while I can write some flowery prose or engage in worldbuilding like I'm Slartibartfast, I don't actually have a tale to tell. I need to adjust my focus here, and maybe I'll get something out of it. 4) Top Secre...

The Cultural Value of Algorithms

I am aware that there are misgivings amongst the musical community about Spotify's business model, and from the bits I know, these are perfectly reasonable. Unfortunately, it is useful and productive consumer model, and it's this I want to briefly write at you about. Spotify's catalogue is huge, an ever-expanding horizon that seems to want to engulf the soundscape in totality. It's easy to use, and you can usually find the album or artist you want to listen to. But it's true genius is in its algorithms, specifically the ones it uses to create the playlist it constantly nudges you to listen to. Now, because of how pushy it seemed, I avoided my Discover Weekly and Release Radar playlist like the plague for ages. This was a mistake. Or maybe, because I hadn't listened and followed enough, they just weren't right for me yet. Now, however, I spend a good two days paying attention to them, and then expanding my aural sphere to at least 3 of the recommend...

You and who’s party?

“I don’t care to belong to any club that will have me as a member” Groucho Marx Much of the past 17 years has been dedicated to fighting fundamentalist extremism, largely of the religious persuasion. This is understandable, as the religious mindset, certainly in those areas of the globe where faith is a majority holding, affects and informs the cultural values of society, and certainly in the West we have found ourselves at odds with extremist Islamic groups. Fundies of the Muslim persuasion have been at the forefront f these combative efforts, although we have also seen the dangers of the looming Christian theocratic state. It is fair to say while this will be an ongoing struggle, it is one we are coming to understand very well and are able to combat. But what of other types of fundamentalist creeds? What of political fundamentalism? This is, I fear, something we are neglecting to talk about, instead preferring to remain steadfastly tribalised to the point where discuss...