Image Credit: Shutterstock/ValentinT
Pop Quiz: Don’t worry, this will be easy.
1) Have you changed your personal email password(s) in the past year?
2) Is your antivirus (A/V) software on your home PC up to date with the latest malware signatures?
3) Do you use a PIN or password to lock your mobile device(s) with an automatic timeout and remote wipe capabilities?
Now before we get to the meaning of your answers at the end of this blog, let’s examine if what end users do can really make a difference regarding cybersecurity.
Stated another way, even if you had all the “best practice” answers, does it really help defend your data?
Going further, can updating A/V software, better training, doing the right things on the web, not clicking on bad links or other actions really strengthen your personal cybersecurity?
Or, are the bad guys just too good? Is it all hopeless and a waste of time?
Easy security please
Our security team often gets asked the question, “Can you make cybersecurity easier?”
I must confess that, despite direction to staff members to not be a security “party pooper,” the question sometimes bothers me.
There are plenty of variations on this line of questioning, such as:
“I hate computer security. Can’t we just…?”
“What one thing can make me secure in cyberspace?”
“Why is updated antivirus or different passwords needed anyway?”
-or- After spending 20-25 minutes in a radio book interview, I’m asked:
“That was great, but can you boil this down to 1-2 quick tips to simplify how to make us safe online.”
Of course, they mean well. It’s good that non-nerds care enough to at least ask any question. I absolutely need to be more patient and understanding of their viewpoint, but…. there are some pretty complex reasons why…. Oh, never mind – that’s for another article.
Occasionally, a picture flashes across my mental movie screen. I imagine myself as a doctor with an overweight patient discussing their physical health. The patient says, “Why do I need to change my lifestyle? I hate exercise. I love fast-food. I can’t give up chocolate. Thanksgiving dessert was just too tempting. Isn’t there just some pill I can take once a month (or less) to lose weight?”
You get the picture. And isn’t online health similar? The reality is that our virtual worlds and physical world are merging way faster than most people realize.
No, I’m not opposed to PC shortcuts, smartphone tips or tablet tricks. The problem is that after several decades in this industry, we still see too many people every year (evening news, panels at conferences, end user seminars) trying to simplify very complex topics like: identity theft, hacking, distributed denial-of-service attacks or advanced persistent threats into 2-3 simple steps we all can take in less than 5 minutes a month.
If you are tech-savvy, you probably get similar questions. You may even be the “designated driver” when it comes to all things tech at home, school, church or wherever.
Others may be thinking: The bad guys will just get in anyway, so why should I even try to stop them? To heck with any security measures. Yada, yada, yada.
But…. that’s falling off the horse on the other side, in my view.
Leaders say 'yes' to good computer hygiene
So where’s the balance? What’s the right message regarding good computer hygiene for end users?
Mike Rogers, the chairman of the U.S. House Intelligence Committee, who is well informed on cybersecurity threats and known for his statements about how we are losing the cyber war to China, told a policy conference in Michigan that:
“About 80 percent of the cyber security problems can be solved with regular computer hygiene — strong password, firewall and virus protections that citizens need to exercise diligently….”
In Michigan, we encourage regular awareness training for end users as well as a host of other steps that can be taken by going to our cybersecurity website and clicking on the appropriate topics to become educated.
Here’s a video we produced on our cyber awareness training reinvention approach:
Back to the quiz…
OK, back to the relevance of your answers. If you said yes to #3, you are in the minority – joining only 35% of users (33% of women) who normally lock their smartphones or tablets, according to Microsoft.
How about #2? If you answered no to having updated AV running on your PC, you’re not alone. According to this security blog last year, about 24% of users are in the same boat. But the bad news is that you are also 5.5 times more likely to be infected with viruses.
And on #1, if you haven’t changed your password in the past year, you may want consider changing it. But more important than changing passwords, is the complexity of the password chosen. Here are some other tips for thinking about passwords.
Some readers will likely disagree. Websites, such as lifehacker, make the case that changing passwords is a waste of time and can make security worse.
You can certainly argue that we should use other solutions – like two-factor authentication to be more secure (as in your ATM card with a PIN). But as long as all you have is a password as your primary way to get at your data, changing your passwords a few times a year can help. You can also read Bruce Schneier’s views on passwords here.
There are other good online security tips that work to improve Facebook profiles, two-step authentication in email and website security steps can also be added to the list.
Bottom line, if you said yes to all three questions – congratulations! Using the 80-20 rule, you are in the 20%. Thank you for your vigilance. Please try to help others see the importance of online hygiene.
What’s my main point? Government technology leaders are left with a dilemma. Make cybersecurity too hard, we turn off the masses. Paint the problem as easier than buckling the seat belt in your car, there's no change in online lifestyles.
Either way, we can have disillusioned customers if/when security fails – which will happen at some point. There are no guarentees in cyber. Still, just as in personal health or driving a car, our actions can make a difference.
For me, well-educated employees, friends and family are preferred. A simple cyber pill generally won’t do.
Yes, we all need an obligatory 30-second elevator speech on this topic. But try to end it with “read more.” Help others understand the vulnerabilities, threats and risks they face in cyberspace.
My lawyer friends tell me that no matter what general legal question is asked at parties, the typical answer is: “It depends.”
There are lots of reasons why lawyers answer questions that way, such as this piece that explains why everything is a unique circumstance.
Without doubt, we can strive to make cybersecurity easier to understand, offer some simple solutions and provide more quick tips.
But when it comes to computer security becoming easier….
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.