[BreachExchange] 4 Signs You, Your Users, Tech Peers & C-Suite All Have 'Security Fatigue'

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 9 19:58:14 EST 2017


http://www.darkreading.com/endpoint/4-signs-you-your-
users-tech-peers-and-c-suite-all-have-security-fatigue/a/d-id/1328103

There’s been a lot of talk about security fatigue lately, in the press and
in my office. It’s a term that people get right away, and it feels like one
of the classic social phenomena of our era, like multitasking or that
phantom buzz in your pocket.

If security fatigue is the disease we’ve all got (even security pros!), the
question is how do we get over it? To help answer that question, let’s take
a look at four signs that identify the symptoms, along with recommendations
that will put you and your users on the road to recovery.

Sign 1: You Reuse Passwords
Symptom: You want that 10% off coupon for creating an account on a new
website—so you use your email address and that one password you use for all
those "minor" accounts you’ve created.

What’s the Worst That Could Happen? At the least, hacking that single
password might give criminals access to your personal card data. That’s a
pain, but most credit card purchases are protected. But if the same hacker
starts trying that password on other accounts, and those accounts include
more personal information or are used for work credentials, and you could
quickly move from identify theft to a data breach. Ouch!

Cure: The best cure is a password manager, which is the easiest way to
create unique, lengthy, and difficult-to-crack passwords for every login.
Sadly, most people aren’t ready to take this strong medicine. So they fall
back on a variety of other schemes to introduce some level of complexity to
their password. There are a million of these schemes, and combine them with
multi-factor authentication you just may be okay. But you can’t be sure. So
use a password manager!

Sign 2: You Forget to Connect to VPN
Symptom: You’re doing some work from home, and you just jump right in and
go—completely ignoring the step of setting up a VPN connection. You’re just
catching up on e-mail after all.

What’s the Worst That Could Happen? If your home WiFi is
password-protected, and you’re just sending email, the risk is pretty low.
But let’s say you connect to an insecure website and it tries to download
malware—you’re exposed. And you’re not always on password-protected
networks or just doing email, right? The truth is, if you’re connecting to
the Web or sending sensitive documents, you’re exposed without VPN.

Cure: It’s not establishing a VPN connection that’s hard. The hard part is
remembering. It’s a matter of making it a habit, like snapping on your seat
belt. I’ve put a reminder on my startup screen that I see every time I log
in, and it really helps. We all have the capacity to trigger electronic
reminders these days, so set one up for VPN usage today.

Sign 3: You Click on an Email Link — Even Though You’re not Sure
Symptom: It’s been a long day, but you’re determined to churn through a few
emails before you bail out. Hmm, you think, you wouldn’t mind winning a new
Amazon Alexa offered in one email, so you click the enter automatically
link …

What’s the Worst That Could Happen? There’s a brief pause as you go to the
innocuous-looking site. That pause, unfortunately, indicates the site is
downloading a nasty piece of ransomware that will infect your network and
bring work to a grinding halt. Cybercriminals have so many different ways
to hook you, but they all begin by you visiting a site or downloading a
file (or plugging in a USB drive), because you didn’t take that extra
second to make sure you were taking the safest action.

Cure: Phishing sucks! It’s the most common form of cybercriminal attacks on
employees, and it can be VERY difficult if not impossible to detect. But
you can resist phishing with a few simple tricks. First, turn your baloney
detector on high and quickly delete anything that sounds too good to be
true or comes out of left field. Second, recognize that you should never
act on emails when you’re in a hurry (unless it’s to delete them). Third,
if you get a lot of commercial email (I sure do), use rules to move it all
to a folder, and then take a little time a few times each week to go
through and identify the stuff you want to act on—deleting everything else.
Remember, you’re in control of your actions when it comes to your email, so
make it a personal challenge to never get caught.

Sign 4: You Don’t Report Something that Seems Off
Symptom: Stopping in the kitchen for a cup of coffee, you notice a folder
on the counter, with a sticky that says "Vendor Contracts, First Quarter."
The person who left it will probably be right back, you reason, so you fill
your cup and get off to that meeting.

What’s the Worst That Could Happen? Remember that stranger you let in the
door earlier? She could find a gold mine in that folder. Or the disgruntled
employee who came in as you headed out. Perhaps he could use what’s in that
folder to embarrass the company. The truth is, unreported suspicions can
blossom into leaks of proprietary information or malware infections all too
easily.

Cure: Reporting suspicious incidents or observations is inconvenient! But
so is stopping at red lights, washing your hands before you eat, and a
whole lot of other things that we go ahead and do because we care about our
fellow man and want to make the world a decent place to live. So report
suspicious behavior.

Do you note the similarities in all the cures to security fatigue? They all
come back to the need to adopt a new mental model about security and to
develop new habits that support that mental model. If you care about
protecting yourself and your company from cybercrime, developing those new
habits will not be hard. First care, then act. It’s that easy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170209/dd3773e5/attachment.html>


More information about the BreachExchange mailing list