Top Things Even Security Experts Forget

Posted on

National Cyber Security Awareness Month in October marks a good time for all organizations to think about how they can build and reinforce a workplace culture of security and privacy. This security culture has to be created, fed and reinforced through an investment in activities and engaging training materials throughout the year—not only during the annual security training meetings.

As cybersecurity professionals, this month is an opportunity for us not only to share best practices with our organization, but also an occasion to take stock of items even the most seasoned professional can forget. All of us, even security professionals, get caught up in our day-to-day activities and habits, forgetting important aspects of personal and professional information security. We forget: 

1. Where our data lives and what it reveals about us.

One key thing we often forget these days is where our data lives and how that data tells things about us. For example, your personal calendar may reveal you are visiting a lot of doctors. That information can say more about you than your medical records. It’s important to know where all your data is so you can protect it, keeping in mind there are various kinds of malware that destroy or encrypt data in a way that can cause people to lose control of their data systems.

2. Password hygiene.

It can become really easy for even security professionals to fall into the trap of picking simple passwords and rubrics for items deemed to be “low value.” However, it becomes very easy to repeat those passwords in places where their information is actually more valuable than it may seem on the service. As computing power gets cheaper, you need stronger passwords to maintain security, and password requirements have not kept pace. Right now, if you are trying to protect something valuable you need at a minimum a 16-character, unique password, or better a passphrase that can be even longer. Passwords should never be reused or else it becomes very simple for a hacker to follow-up.

3. Private conversations in public are not always private.

It’s amazing what you can overhear in public. Many people behave as if personal conversations in public will automatically be kept private, but that is not necessarily the case. Whether it’s during a dinner conversation, on public transportation, or waiting with colleagues in a hotel lobby, there is the possibility someone may overhear a valuable piece of private information. You should always have a general awareness of who is around you and what setting you are in before beginning a conversation with private details.

4. Stay calm.

When a crisis happens, it is easy for the default response to be panic. Early on, it’s important to take a step back to determine the process for resolving the situation. While this may seem counterintuitive and like a time-suck, walk through the process and see what the results are. Often people may try to solve a problem in the fastest way possible—due to panic—rather than searching for the best way to solve it. It’s important to think through the problem at hand to ensure your solution actually addresses the situation.

5. Explain what’s going on.

Not everyone in an organization has the same technical background as a security professional. Similarly, the security and technical experts don't fully understand the business, and how specific business processes impact the organization. When tackling a problem, it’s important to explain to key stakeholders what’s actually going on—in terms they understand. Similar to the previous point—it can be easy to try and start solving a problem without getting everyone on the same page. There may be pieces of information elsewhere in the organization that points the optimal solution.

Since even security professionals can forget the advice of The Hitchhiker's Guide to the Galaxy—“Don’t Panic"—it’s important to use this time in October to think about the other things we may be forgetting about the security of our information.

Please use the comments to identify other things people forget about information security.


data security security awareness password management privacy professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs