Information security is a vital part of both our personal and professional lives. Our data is under constant attack from bad actors, and while they only need to find one small hole in our defenses, we must continuously shore up those defenses and watch for any sign of a breach. This means our information security is only as effective as the vigilance and risk mitigation efforts we consistently provide.
Fortunately, there are tools at our disposal to help us provide the protection our data requires. However, even the most effective automation relies on human behavior at some point and, sadly, we humans aren’t perfect. Researchers at Stanford University have stated that 88% of all data breaches result from human error.1 We represent the weakest link in the security chain and, while people as a whole seem to be getting better at avoiding the mistakes that put our personal information at risk, the bad guys are getting better too.2 So are their tools and their ability to discover flaws in our defenses. This makes it critically important for each of us to understand the current vulnerability landscape and be familiar with the behaviors necessary to guard our sensitive data.
How do we do this?
- Be aware of your situation. Understand the data you possess and how you are handling it. Use encryption for highly sensitive data, and minimize the number of places you store it in. Keep your encryption keys separate from the data and treat them like you treat that data.
- Never trust an email or message of any sort by default. Always validate the sending source before engaging and, in particular, sharing any data. Unlike the famous Russian proverb, do not “trust, but verify.” Verify before you trust.
- We all recognize the need for strong passwords, and it seems commonplace nowadays (at least in professional settings) to assume the team is all following that advice. But what makes a password strong? There are copious articles on the Internet that discuss this. It turns out that password length is more valuable than password complexity.3 Both together are better than either alone, but lean into longer passphrases always. We don’t have to rely on password strength alone, though. Multi-factor authentication (MFA) provides additional protections that are quite difficult to overcome. Enable MFA wherever you have sensitive data and are able to do so.
- Keep your system software current and patched for known vulnerabilities. This seems so obvious and simple, yet it is often overlooked. Per CISA:
“In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.”
Automate that patching where you can. We are all under constant surveillance, and it only takes a minute for the hackers to find an opening.
- As in “be aware of your situation” from above, be aware of what you share, and where you share it. When an institution requires sensitive data to be shared between individuals or groups, it’s vital to be clear on who has a “need to know” and how much information is actually revealed in the sharing. Even photographs sometimes show details that weren’t intended. Be thoughtful about who might see the information, and double-check that recipients list before you hit send.
- Finally, consistently report suspicious activities or mistakes to the security team. The sooner the team knows of a threat or a potential data leak, the better any potential harm can be caught and stopped. The bad guys never stop trying to get our data and we all have moments of faltering vigilance. Own them, and beat the hackers at their game.
Information security is an ongoing task, and everyone has a role to play. Like any art, better tools can produce a better result. However, it’s all about how the artisan operates that tool, and even fantastic tools can produce rough results if not operated properly. In the end, the people involved in the process control the quality of the output. Be an information security artisan, and keep the data you own and process safe from prying eyes.
Footnotes:
1. Stanford Research: 88% Of Data Breaches Are Caused By Human Error. KnowBe4.
2. Hackers are getting smarter - and even going malware-free in some cases. Tech Radar.
3. Summary of the NIST Password Recommendations.
