Preventative measures are a good idea but it’s important not to let yourself be lured into a false sense of security. After all, you wouldn’t stop washing your hands if you got a flu shot. Basically, what I’m saying here is don’t be Dave.
The problems with risk reduction in cybersecurity is that it can end up coming across as a series of “don’t do x” or “always do y” directives. And the problem with such directives is that they have to take a complex and often nuanced topic and oversimplify it such that it undermines whatever well meaning or good intentions there might have been in the first place.
Wash your hands. That’s generally a good idea, and it never really hurts to do. But a lot of cybersecurity topics tend to be more complex.
Consider heart disease. It’s a complex topic but a lot of the public messaging was absurdly simple and ended up being wrong: Cut out fat and eat more carbs. Eggs are bad for you. Not only did this end up being bad advice, it also meant that, in the interest of keeping the message simple, we never got to hear about how we should eat less sugar or that while exercise is good, you should do it in moderation.
Phishing scams are getting better and better at resembling real emails. Malware is getting better and better at pretending to be real apps. There’s a never ending stream of scary-sounding security vulnerabilities, any one of which – we are told – just might break the Internet but often don’t and end up just being a distraction for most people. And that doesn’t even include the problems that are caused by oversimplified advice given out by cybersecurity experts of yore that hasn’t quite held up.
So the old “here’s some tips to stay safe” model really isn’t all that effective anymore. Instead, the focus is on the more effective but also more challenging task of trying to raise the level of digital literacy as a whole so that we can give more meaningful advice.
There are some good resources out there that can cover a lot of the basics. The Justice Department runs a program called OnGuardOnline and the Department of Homeland Security runs the Stop.Think.Connect. campaign. There’s a somewhat sparse guide on USA.gov about avoiding fraud online as well. This Lifehacker page focus on avoiding identity theft and fraud but the concluding lesson – “be skeptical, be informed, and be careful” – is will help for all types of cybersecurity threats.
Days Gone Bye
I made the point last year that it is better to focus on the “security” of cybersecurity, rather than let yourself get distracted by the cyber-ness of it all. While I still think that’s a good starting point, it’s becoming clear that with the advanced nature of some threats, some amount of familiarity with the underlying technology is a vital part of staying safe. It’s not enough to have the content (the security), but you need to have the right context (the cyber) to apply it correctly.
And another thing…
Information security professionals refer to the sort of thing we’ve been talking about as “operational security”. NSA leaker Edward Snowden is well regarded as being an operational security guru. Consider his situation: he wanted to get in touch with journalists but he had never met them before and for all he knew, anyone he was talking to could be a federal agent undercover aiming to throw him in a cell for life. Compared to that, trying to figure out if an attachment is safe to download isn’t that big of a deal, is it?
Security guru Bruce Schneier has used the term “hinky”. Here are some examples about what he means by that.