Care and Share to be Prepared – Part 1, Caring

I’ve tried and failed to convince more people than I can remember why they should care about Internet security.  Typical responses include eye rolls, yawns, looking at their watch, and taking “important” cell phone calls. Yes, I do notice.

As an IT and security professional, I’m used to being ridiculed, ignored, and marginalized.  It should have an acronym, say, RIM, because it happens all the time, and it should be a verb, as in, “I was RIMed again.”

One organization leader offered this helpful feedback: “Just tell me what I need to know in twenty-five words or less.”  A few bystanders chuckled; another tech-weenie failing in an adult conversation.

It’s frustrating when nobody listens. When people say they want everything they need to know packaged into twenty-five words or less, the real message is, they see no value in learning anything about the subject matter because it’s somebody else’s problem.

But, in fact, they’re playing Russian Roulette.

Don’t believe me? Isn’t all this just meaningless numbers and letters on a computer screen?  Isn’t cyber-security a job for big companies and the NSA? Ask former US Senator, Norm Coleman about that.  Or the former Target CEO.  Or the former US Office of Personnel Management Director.  Or several top officers at Equifax.  Or a few identity theft victims.  Or millions of people now exposed to extortion, blackmail, and identity theft because of data breaches.  I don’t know about you, but I’m tired of watching CEO after CEO parade in front of the TV cameras to claim they take security seriously.  I have a hunch many of us want to ask the obvious question — if you take security so seriously, why don’t you do anything about it?

More than a year after publishing “Bullseye Breach,” a thought came to me. What if I could give busy people everything they need to know about security in twenty-five words or less?  If we give ’em what they want, maybe we won’t be RIMed so often.  Maybe they’ll pay attention.  And then the answer came.  Everything busy people need to know about cyber-security, packed into a six-word rhyme.

Care and share to be prepared.

Nineteen words to spare.  Care enough about Internet security to take action, share what you learn liberally.  I’ll talk about sharing in part 2.  Here, in part 1, I’ll make the case for caring.

If you’re a busy CEO, stop brushing off your security specialists with stupid excuses like, “We sell hammers.”  No matter what your organization does, private sector, public sector, nonprofit, you name it, the information you keep is your most valuable asset.

Think about that.  How much cash do you have?  What’s the secret formula for your world-changing invention?  How much inventory do you have on-hand?  Think about any hard asset or attribute about your organization. What good is any of it if you don’t know about it?  Criminals see value in your information; that’s why they keep stealing it.  Hello?  That should tell you something.  Stop treating your information as an afterthought.

I remember a meeting with a CEO a while ago.  He told me he liked to download and install random software on his laptop and then hand it to his IT Department to fix when it broke. He said it made his IT staff sharp. I have a hunch his IT staff had a different opinion.

Arrogant, ignorant, and proud of it is a dangerous combination for a leader.  Learn to respect the people who stay up all night keeping your company running while you spend quality time with your family.  Unless you enjoy facing TV cameras and resigning in disgrace.

If you’re a busy tech professional, maybe a software developer or system administrator, keep security and layers of defense in mind. Always. I saw a discussion with a rookie developer who did not understand why it was important to protect a few important files against access to anyone logged in.  His argument was, only administrators should access this system, so why go to the extra trouble of denying read access to the world?  Wrong.  Should and is are seldom the same, and what happens if a non-administrator somehow gets inside that system? The community gave that developer a lesson on layered defense. I hope he took it to heart.

If you’re a busy Internet user, educate yourself on the basics.  Just like our great-grandparents recognized basic literacy was important in the horse and buggy days, we need to recognize that basic Internet literacy is even more important today.  The Internet is here to stay.  It’s past time for the public to learn about the dark side of free cell phone ringtones and social media and search engines.

I’ve cleaned more computer viruses than I can count.  Reactions are always the same; people are mystified by how that malicious software got inside their computer, they’re usually worried about the family taxes and 20,000 pictures they never backed up, they still think lonely teenagers launch Internet attacks from their bedrooms, and they’re amazed when I tell them about botnets.

When I was an independent consultant, one end user complained they were unable to access email. I asked what email program they used.  The answer:  “I click on ’email,'”  followed by the usual eye-roll.  Another tech-weenie asking meaningless questions.

Ignorant and proud of it is dangerous for everyone, not just leaders.  It has to stop.

How you care for the confidentiality, integrity, and availability of your data, whether you’re an organization leader, a tech professional, or anyone else, speaks volumes about how much you care about overall quality.  It’s not just a tech thing – it’s how you approach life.  If caring about cyber-security is too techie for you, then care about quality.  Your identity and millions of your stakeholders’ identities could depend on it.