I am not proud to admit that I used to put security into place to satisfy an audit. It took me time to learn that security is the foundation of any system. What I thought was security hype was really the need to increase cyber security awareness. Let me start with a story…
Early Corporate Days
I worked at a global 100 firm after having worked for a much smaller and more nimble firm for years. I think I associated security with:
- changing my password every 3 months.
- having no password management tools (like 1password)
- not being allowed to check personal email
- my removal from all internal systems each year and having to have my manager approve access to each one individually.
- Slow VPN access for a job I traveled a lot for
- generally slow and outdated (and ugly 🤮) enterprise software
Hindsight is 2020
I realize that a single breach would have tarnished the reputation of this firm to the point of ending our business unit. This explains why they implemented every level of security possible. Perhaps if our security team better communicated to us what they faced daily, we would have been far more open to working through all these extra layers.
I am not a psychologist but here goes…
Another reason for my hesitation is that being a technical person, it would be harder to fool me with a phishing attack. This is of course unreasonable as there are scores of employees that provide essential services to an organization outside of the IT department.
Perhaps it’s human nature to resist anything that is overwhelmingly being promoted or pushed EVEN if makes totally sense. Perhaps we feel it’s an attack on our individuality and we have this desire to remain independent and unique.
SO… When security breaches went from website defacements to a profitable enterprise, I had these same feelings of security come up although we were always careful in our security implementations. For certain these steps were used as sales and marketing points in our pitches.
When I Realized It Wasn’t “Security Hype”
So, that’s why I thought it was noise before… and as irrational as my resistance was, here’s the set of circumstances that snapped me out of my “security hype” belief:
- Me having to use the ‘something is not right function in Facebook Messenger for friends.
- A story about a company called Code Space who had their entire AWS environment deleted
- The Target Hack via their HVAC system
- Checking gas pumps when I fill up because of retailers falling pray to card skimmers installed at cash registers.
- The Equifax hack
- The Solar Winds hack
- A school system local to me fell victim to ransomware and had to shut down
I am not the Sheriff but I speak zoning…
I serve as a volunteer for a commission in my home town. With this role, I have a city email address as well. I recently got an email from someone phishing who tried to convince me he was our Mayor and needed me to buy gift cards for some strange reason.
Cyber security friends tell me to expect a breach eventually even with great security. This really nullifies my original believe there is a lot of noise in the security space. The good news is building cyber security awareness is a great first step and I see it everywhere.
I was put into a month long bootcamp at my first technology job. One of the most important aspects was online security. We learned that weblogs could reveal the last page you were on using HTTP REFERRER. Using that information, a poorly formed URL structure could give away critical data such as an intranet location with a clients name or a future acquisition list for the firm we worked for. We need to go back to bootcamps and periodic training if we are to protect our organizations.
If you’d like to learn more about cyber security awareness and strategy, check out our managed security services page.