Last week I suggested a “solution” to the problem of bad things happening in the cyber world. We want to avoid bad things from happening when we go online or when we use our computers (or phones, tablets, etc.).
I have repeatedly said you can’t prevent bad things from happening. But that doesn’t mean we are defenseless. The “solution” that I talked about last week is a blueprint for what we CAN do. This isn’t a method we are taught when we learn security. So, you won’t find it in a textbook. But it is a way of looking at the problem that summarizes a lot of the learning and experience from a formal program and translates it into a way of applying it.
The first part of that “solution” is to “take appropriate measures to make it harder for those bad things to occur.”
If we were talking about protecting our house from break-ins while we are on vacation, we would do things like:
* Stop the mail and the newspaper (or have someone pick them up so they don’t accumulate)
* Have some exterior lighting at night and have interior lights on timers so it looks like someone is at home
* Lock the doors and windows
* Use deadbolts on the doors
* Trim any exterior bushes or foliage so potential thieves can’t use them to keep out of sight while they try to break in
The idea is that we want any potential burglars in the neighborhood to pass by our house and to believe that our house would be difficult to break into.
In cyber security, the kind of measures we can take are things like:
* Installing security software, such as antivirus/antimalware, firewalls, etc.
* Using good passwords on our computer and on our online accounts
* Not opening attachments or clicking on links without at least considering the risk
* Not sending any sensitive information by e-mail
* Setting good passwords and other security settings on home Wi-Fi and on any connected cameras or other devices
* Not using public Wi-Fi for sensitive information or transactions
* Using a different password for every different site you access (especially for those sites where sensitive information is involved)
* Keeping your system updated with the latest security updates for the software you use (Windows, Internet browser, Flash, Java, etc.)
* Taking measures to reduce the likelihood of your phone or laptop being stolen (keeping a close eye on it, keeping it with you at all times)
* Being careful of what information you share online
* Not responding to pop-up warnings
This is just a partial list; there are numerous other things that one can do to reduce the likelikhood of bad things happening.
A list like this might seem daunting, especially knowing that it is only a partial list. But one doesn’t necessarily have to do all the things on a comprehensive list. Part of mastering security is knowing what the appropriate things are that one should do in your situation. Another part is knowing when one has done enough.
Let me elaborate on that.
The things that YOU need to do to be as safe as possible will depend upon YOUR particular situation. Some of the things on the list are things that everyone should probably always follow. But others may only be appropriate for some people and not for others. An obvious example is: if you don’t have a phone or tablet that you use to access the Internet, you don’t have to worry about the things that apply to using those devices, like public Wi-Fi. A less obvious example relates to what you do on the Internet. If you never shop or bank online, if you never conduct any financial transactions or send any sensitive information, you don’t have to be concerned about the measures that someone who does engage in those activities should take.
What about knowing when you have done “enough”? No matter what you do, there is always going to be some remaining risk. At some point, it doesn’t make sense to keep putting more time, effort, and money into trying to increase the level of protection.
However, things change. Maybe you have done enough for today. But tomorrow, a new threat may arise that needs to be addressed. You may need to add some additional protection measure or behavior to your list in light of the new development. So, “enough” does not mean that you can forget about doing anything else. It only means that you have taken sufficient measures to provide the level of security that is appropriate for your situation, for today.
What this means is that, even if there are a lot of things you should do (or not do), there is still a limit to how much you need to do.
It also means that you must have a method of becoming aware of how that may change for you in the future. The need for that change could be because of new developments in the world, or because of a change in your own situation.
Since this blog was started, I have touched briefly on a lot of the things that you can do or avoid doing to make it less likely that bad things will happen. If you don’t know the bad things that can happen and what can be done to make them less likely, the chances of them happening to you are much greater. If you do know what measures you can take and you then go ahead and take them, you can reduce the likelihood of those bad things happening. I realize that you may need more guidance on how to actually do some of those things. I will be providing more detail in upcoming classes or through special offerings and, to a lesser degree, on this blog.
At the moment, I am trying to provide a broad overview as well as a way of thinking about security. It is easy to get lost in the forest because of focusing on the individual trees. It would be easy to spend a couple of years talking about individual measures one could take to address very particular problems but never really understand what we are trying to accomplish with all the effort. That happens a lot in security, even among those who are responsible for “doing” security. I believe it is essential to have a good view of the “big picture” so you don’t get so caught up in the details that you miss important things. In the analogy of protecting our house from break-ins, we could spend a lot of time upgrading our door docks, trimming the bushes, stopping the mail and papers, etc. Then, because we were overwhelmed with completing all the preparations, we leave town but forget the obvious measure of locking the window that we often leave open to provide fresh air. That is one of the first things a burglar is going to look for.
There will be times that I will go into details. But, in the interest of keeping blog posts to a reasonable length (which I am struggling with already), it is hard to really cover a particular subject in the depth that I feel is needed. As a result, some of the more detailed information will be made available through classes, webinars, workshops, products, or conference calls. I will be starting with some of that in the coming months. Meanwhile, I will alternate between the big picture perspective and more detailed, specific measures.
My series of the three posts about ransomware is an example of more detailed info. Although I would consider them to be just an introduction or overview of the topic, they did provide more specific detail than some of the “big picture” posts. Another example would be the post on what to do if your files “go missing.” That can be found in the “Resources” section of this blog. Although you would likely need help to actually recover the data, it gives you very specific steps to take and to avoid taking to maximize your chances of getting your files back. And it provides a series of steps you can take to help you decide what your best course of action is.
So, the first step is to do what you can to reduce the chances of something bad happening. That means learning what those things are. A lot of that is already available on this blog. You also know some of that already from your experience. Of course, with all that information, knowing what you need to focus on can be tricky. I plan to provide some solutions for that in the upcoming months.
Meanshile, in the next couple weeks, I will elaborate on the remaining steps of the “security solution” I mentioned last week.