Last week I had the honor to speak at a meeting of the Overseas Security Advisory Council (OSAC). I was also allowed to attend the entire day-and-a-half session. It was an eye opener.
For background purposes, OSAC is a nonprofit organization with members from the U.S. State Department and individuals from the private sector with significant responsibility in the security area. The objectives of OSAC are to share information in order to mitigate risks to American private sector interests worldwide.
The theme of this particular event was “Protecting Valuable Information Overseas.” Not surprisingly, cybersecurity was front and center in the various presentations. Given that I am reasonably well networked in the cybersecurity world, I thought I had a good understanding of the cyber threats we are facing. Not even close!!! The seriousness and ubiquity of those threats made me want to look for a time travel machine and go back to a world in which computers and networks did not exist.
The Fundamentals of Good Cyber Hygiene
For corporations, organizations, and the government there are a number of cyber hygiene frameworks available. In this article I am more interested in individual behavior. After all, every security breach has at its inception a mistake made by a human being. As such, we all have the responsibility to educate ourselves on the basics and follow them the same way we follow the practices of bodily hygiene.
To name a few of those practices in no particular order:
- Use strong passwords and change passwords regularly.
- Think three times and investigate the legitimacy of the request before you click on a link.
- If you travel to countries we consider adversaries (e.g. Russia, China) do not take laptops or phones with you that contain sensitive information.
- Back up your data regularly.
- Do not visit a website that does not use the Hypertext Transfer Protocol Secure (HTTPS).
- Do not connect to public WiFi unless you are using a (Virtual Private Network) VPN.
- Have at least one anti-virus software on your machine.
- Upgrade your devices to the most recent operating system (Windows XP and Windows 98 are known to be highly vulnerable).
- Do not share sensitive information on a public-facing website (like social media) or with untrusted sources.
- Teach your children the basics before you hand them a network enabled device.
- If a gorgeous redhead you don’t know wants to connect with you on LinkedIn or the Chinese government offers to pay you for “essays” on American culture, don’t assume it’s because you’re brilliant. Foreign agents may be trying to entrap you.
Why Isn’t Cyber Hygiene a Bigger Priority?
This sounds like a reasonable list that is not too hard to comply with. Yet comply we do not. One of the most notorious examples is the infamous hack of the DNC server was which was accomplished by the “hacker” guessing the password. It was “password.”
But I cannot claim exceptional virtue in this area either. I do quite a bit of traveling. Last year I visited four different European countries. The first thing I do after closing the door to my hotel room is to open my laptop and connect to the (unsafe) hotel WiFi network. Tomorrow I will install a VPN on my devices – it is quite affordable.
Having digested the cyber threat descriptions by half a dozen highly knowledgeable experts in the field, it occurred to me that as a nation we do very little to educate our citizens. There are few classes in schools and colleges that teach cyber hygiene. I believe that “Cyber 101” should be a required part of the core curriculum for all college students. After all, before we hand teenagers a driver’s license, we make sure they know how to drive a car. However, we hand six-year-olds a potential cyber weapon without blinking an eye. Something needs to change. Sadly enough, it probably will take a breach of hitherto unknown proportions to trigger appropriate measures in this realm.