In my last post I talked about how organizations can get employees to follow security advice. Today’s riff is on “making it personal.” Make security self-serving. In other words, answer the question, “What’s in it for me?” Corporate security is inextricably linked to personal privacy—here’s why.
We say we believe it is important to maintain privacy and confidentiality in our lives, yet we continue to broadcast seemingly every detail publicly: where and when we are going on vacation, raves about our night out, the latest video of our dog/cat/hamster, links to yet more cute videos and self-help sites.
Our public selves
Every time we “share,” or “like,” or “tag,” we open another public window into our true selves. We click with abandon in our personal lives, easily spending hours on Facebook, Instagram, Twitter, and YouTube, clicking on ever more remote links from where we began. As time passes, we don’t stop to think before we click, succumbing to pattern where the finger acts faster than the brain. If you want to read a fictional—but not far from reality—account of such social media use taken to the extreme, check out The Circle, by David Eggers. It’s a little too familiar to be comfortable.
Yet while two-thirds of us are not confident that records of our activity maintained by social media sites, search engine providers and online video sites remain private and secure (with 500 million good reasons for doubting), over ninety percent had not made any changes to Internet or cellphone use to avoid having activities tracked. We’ve become complacent and resigned to giving up our privacy.
Not surprisingly, countless studies have confirmed that the greatest security risk in any organization is people, not technology. Indeed, in the most recent data breach report from Verizon a review of the percent of breaches per asset category shows that the “person asset” line continues to trend up year over year as the human asset continues to fall victim to phishing attacks, while server, media, and network assets continue to trend downward as security technology improves.
Why? Because we bring our personal selves and Internet habits into our organizations, and security suffers. Either directly or indirectly, we allow our personal choices for password use, privacy controls, surfing behavior, and “click before you think” to bleed into our digital work lives. Whether clicking on a spear-phishing link, or re-using a personal password at work, we put our organizations at risk, and ultimately ourselves.
It’s not enough to be aware, you need to be alert
The answer to “What’s in it for me?” is better personal privacy and security, as well as improved organizational security. To paraphrase an old aphorism, “rising attentiveness floats all boats.”
As individuals take affirmative steps to improve and monitor their personal security on-line, the trickle-down effect heightens their attention to organizational security and minimizes the fodder available for spear-phishing, credential compromise, or other targeted intrusion attempts.
Things we can do for ourselves, and ultimately for our organizations:
- Never, ever, use the same passwords for work and personal use
- Use complex user names, not simply your real name or e-mail address
- Clear cookies or browsing history
- Refuse to provide information that isn’t relevant to a transaction
- Decide not to use a website if it requests personal information
- Think before you click—on links, on websites, on ads, on “friend” requests
- If you do office work on your home computer, sanctioned or not, be sure you have the most up-to-date browsers and anti-virus software
- Don’t use free public-access wi-fi, which makes you particularly vulnerable to password theft
There is already a wealth of publicly-available information available the Internet, and it’s a short leap from what may be an innocuous admission to an open invitation for mischief. Don’t make it easy. Don’t add to the data pile. Your organization will thank you.