Even the grandmas on Facebook need to know and practice basic security hygiene, because what happens anywhere on the Internet can eventually affect us all.
I find myself thinking a lot lately about how much safer we would be online if everyone knew and followed at least a few security best-practices. For those of us in the business of information security, we tend to think mostly about protecting ourselves and our organizations. But the Internet is a shared ecosphere where the actions of some people can easily affect everyone else.
“How so?” you might ask.
Two things immediately come to mind. First, and most obvious, victims of malware become resources for further attacks. For hypothetical example, there’s a random kindergarten teacher in Kansas who you’ve never met and couldn’t identify in a lineup. Her computer has contracted a bot and is spamming the world (including your organization) with malicious emails. Her computer is also acting as a drive-by download site, infecting any new victims enticed by the emails.
Multiply this one teacher’s infected computer with the thousands or millions of other botnet victims, and you can see why the online actions of others affect us all. Even if you’re smart enough to ignore the phishing attacks, the attacker could still leverage the thousands of victim computers under his control to DDoS your network. All because a few uninformed folks made simple mistakes and got infected.
The second issue involves chain-of-trust. While you may have built strong defenses around your network, your organization likely has tens, hundreds, even thousands of external partners or contacts with whom you interact each day. Likely, you’ve extended your trust to these external associates, whether by giving them elevated access to your network or by just more readily interacting with their emails.
You see, our trust networks go further than you realize. It’s kind of like the old “Six Degrees of Kevin Bacon,” which posits there are six or fewer steps between Kevin Bacon and any other actor. If some minor work acquaintance introduces you to someone at a conference, and you accept a LinkedIn request from her, you’ve invited someone you don’t know closer into your trust circle. If that person’s security practices aren’t up to par, she may introduce a potential threat into your network. Target learned this lesson the hard way with one of its external partners.
My point is, other people’s security practices (or lack thereof) affect us all. We’re all connected via the shared network we call the Internet. It’s in our own best interests to make sure everyone — even the grandmas on Facebook — know and practice basic security habits. As security professionals, I believe we should share our tips with anyone we meet, whenever the opportunity arises. Chatting with an accountant on the bus who mentions the Cryptolocker infection on his wife’s computer? Why not share some tips you practice to avoid that sort of ransomware?
Here are the three tips I share with normal folks.
Tip 1: Patch regularly. Update your software as often as you can. Studies show you can prevent 79% of all attacks simply by patching. Most modern software, like Windows, OSX, Adobe products, Java, and more have automatic patching programs. You should turn them on, and say “yes” whenever they ask to update.
Tip 2: Use antvirus and update it. I don’t care which one you choose or whether it’s a free or full version, but use AV software and let it update automatically. Yes, this includes Mac users. AV software is like the hand washing of the computer age; you need its basic sanitation to help prevent the spread of infection.
Tip 3: Think before you click. Use common sense before interacting with links or attachments. Does something sound too good to be true? Are you wondering why someone sent you a file? Does the link look weird when you hover over it? If you’re asking yourself these questions, you probably should avoid clicking.
Sure, there are plenty of other important best-practices, and these tips aren’t sufficient to defend a full organization. However, if you have little time and an audience with little expertise, these tips are simple and practical enough that anyone can follow them. And imagine how much safer it would be online for all of us if everyone in the world patched quickly, used basic AV, and was more careful about what he or she clicked.
With all the people in the world, you may think educating the masses is a hopeless task. However, the six degrees of separation that makes the world a smaller place also makes good ideas spread faster. If we take a little time to educate our neighbors and friends, we can make the Internet a safer place.