Cyber-security awareness; Ignorance isn’t bliss – and fucktardery is inexcusable
I’ve intentionally chosen the provocative title in the hope it helps to further raise awareness and provoke (sensible) discussion. It was prompted by yet another “outing” of user carelessness (or ignorance) on LinkedIn recently – something that folks in the Information/Cyber Security field are doing more and more.
What I mean by outing, is where someone has posted a picture of a laptop left unattended and unlocked, for more than enough time for the poster to have had a good poke around, steal data, plant some malware – or just physically steal it to do any/all of the above at leisure later on.
One of my team posted something similar a few weeks ago, and was then subjected to an online backlash for daring to post it – with many clearly not reading his post properly and jumping to other conclusions too! He had simply suggested that he “could have had free access to the computer for 5 minutes” and that “a call to the head of Infosec might be in order”, but too late – blue touch paper was lit. Stand back….
Responses ranged from “why didn’t you confront him”, “have a quiet word”, “lock his machine”, through the more terse “why post on linkedin”, “mind your own business”, and up to the likes of – “snitch”, “bed wetter”, and some even more abusive. All of this from so-called professionals. (I tried to have a meaningful offline conversation with the “bed wetter” accuser, who descended into abuse – staggering, given that they are allegedly a head of department at a major retail bank!!). And my colleague had nothing personally to gain from this, as we aren’t in the user training business – it was simply a case of pointing out “how stupid?” once again.
So, I’d like to deal with the main themes of the negative responses one at a time;
Bad idea IMHO. No matter how politely you try and put this, there’s more than a slight chance that the perpetrator will be aggrieved by a stranger telling them what to do. Will it change their behaviour? Unlikely – they’ll probably be thinking “who are you to tell me?” and (like the folks who posted negatively), probably see this as an intrusion. Besides, is it the job of any of us to deliver ad hoc InfoSec training – and will it be effective? As an avid listener to Jenny Ratcliffe’s “The Human Factor” podcasts, the words “personal” and “relevant” spring to mind (as being the only way for training to be effective.)
“Why post on LinkedIn – its not Facebook?”
For the first half of the question, it is to highlight the issue, the blatant recklessness of the action, and to hopefully help people realise the risk. This is a professional network (allegedly), so why not appeal to “professionals” to behave as such. For the second half, see No. 3
Name calling and profanities
Calling someone names on a professional site – and abusive language? Really?? My observation is that this behaviour IS actually for Facebook. Any moral high ground you felt that you were on, has collapsed once you descend into abusing people online.
“Just ignore it”
Sorry, but no. It is difficult enough to keep pace with the threats posed by “the bad guys” without making it easy for them. “The Human Factor” is key to most of the cyber threats we encounter, and speaking as someone passionate about this, I can’t just ignore it. And I’m not alone.
“Does it really matter?”
I’ll actually share a little more about the incident that my colleague encountered – specifically, that the perpetrator of the unattended laptop he snapped and shared was an employee of a national funeral service. Someone whom clearly had information on deceased people, and, worst of all, was ordering coffins on his phone when he returned to his laptop!! Let’s just think about this for a moment; one of your deceased family’s details are left unattended by someone………hello? Identity fraud?? And the distress that goes with it.
The crux of this issue is that to those of us in this space (i.e Information/Cyber Security), we recognise the importance – yet to those outside, it is seen as something relatively innocuous. I mean, come on – its hardly putting anyone at risk leaving a laptop unattended is it?……..
To those people outside of InfoSec who are wondering “why all of the fuss?” – here’s a question for you;
Would you walk around naked with nothing more than a sandwich board that displayed your personal information, perhaps information about your family, the company information you access regularly, your browsing history, etc?
Chances are the answer is no – so why justify people leaving their laptop, papers, or anything else, in a public place and completely unattended and unprotected?
I completely get that there is an increasing amount of crap posted on LinkedIn that is certainly more for Facebook, etc. – however IMHO this kind of exposure absolutely needs to continue AND continue via this platform until these behaviours change. Perhaps we should have a “cluelessness exposed” group on LinkedIn that is set aside for this, whereby CIOs and CISOs can go and check to see if their organisation has been called out? (clearly it would be smart to publicly call out the individual – but could be shared privately)
It’s bad enough that people are blissfully ignorant or careless – it’s worse when people are criticised for raising awareness. For that is surely, the preserve of a fucktard (widely accepted definition here in case you need it!).