Recently, DARK Reading had a terrific article written by Marc Laliberte , regarding tips on getting users bought-in to security policies. While much of the article is true, very little is done on a regular basis in most organizations to change the mindset of information security. I, too, am guilty of saying “this is boring” or “it’s just something we have to do”. While those two statements may be factual, it doesn’t endear our audience to best practice.
Shifting culture is a matter of habit and fortunately (or unfortunately) people are creatures of habit. In Charles Duhigg’s book, “The Power of Habit”, he speaks about a man who essentially has lost his conscious mind through degenerative brain condition, but still functions relatively normally, through triggered habitual response. The man would go so far as to cook breakfast, get dressed, and shower without any recollection of the world around him. In his brief moments of clarity, he is unable to recall when he did these habitual actions, but knows that he is dressed, has eaten (because he is full) and is clean.
While I don’t necessarily condone the “autopilot” response of anyone or anything when it comes to many security functions, it is definitely possible to create good cyber-hygiene habits that transition the home and workplace. For instance, naturally checking the actual e-mail address that an e-mail came from, regardless of what the Inbox says, is a good habit and can mitigate many Phishing attacks. Similarly, if an e-mail signature is “off” or old, it might signal a fake e-mail, and a person should contact them out of band (aka not via email…like a phone call), in order to legitimize the communication.
Another way that habit can go far, is to end your work session every day. This can stop some attacks and definitely helps the everyday user mitigate unauthorized access to specific terminals or workstations. There are many other habits that form good information security hygiene, like going directly to the printer after printing a document (s), fully turn off wireless when not in use, log-out of web-apps instead of just closing the browser window, etc. These habits can make you and your organization a harder target for the bad guys, and best of all, doesn’t cost a dime to implement!
Be part of the solution. Be cyber savvy.