Horse Sense #138

Cyber Safety Rules

If you have not read them already, it would help to read these Horse Sense articles:

#137 - The Golden Rule of Cyber Safety - February 19, 2016

#135 - Dirty Secrets of Computer Security - November 20, 2015

If you have a short attention span, remember the Golden Rule!

1. The Golden Rule of Safety: *YOU* are responsible for your cyber safety and the safety of others.


1a. Cyber safety is all about people and what they do and know. There is an old computer saying, "To err is human. To really screw things up requires a computer." Computers are only tools. People need to know how to use them safely.

1b. Computing carries real physical risks as well! Educate people on the real risks involved with computing equipment (shock, fire, germ, chemical, stress, sonic, and other hazards). Avoid any use of electronics while driving. Though people think they can multitask, biology says otherwise. Even hands free phone conversations can be distracting. Invest in ergonomics to avoid stress injuries. Encourage breaks. Counsel people on keeping sound volumes low.

1c. No amount of outsourcing will change this rule. You are still responsible for your own cyber safety. You can get others to help, but since you have the ultimate authority, you have the ultimate responsibility when it comes to your cyber safety.

1d. Every organization should have a cyber safety initiative. Start with the ideas and wording presented here or (better) develop messaging that is more specific to your organization. We can help!


2. Assume ignorance. You should never assume (makes an ASS out of U and ME) anything. Common sense is *not* common. When you hear someone say it, though, it is always an insult. It is something that person knows, takes for granted, and does as a habit and assumes the person they are talking to does as well, but the guy they are talking about does not. If babies or foreigners do not know their "common sense," then do not assume someone else will.

Tony's Greater Law of Incompetence (tm) rules: Assume everyone is ignorant and incompetent. They can and will make mistakes. They may not know what you think they know. People have an exaggerated view of their own competence. 95% of people consider themselves above average drivers. They also think they understand probability, too. Watch out for people who only think they know what they are doing and help them be safer.

Even people who should know better forget things. All safety plans should have periodic training and assessments and any time someone demonstrates they do not know how to behave safely, there should be immediate emphasis put on correcting that behavior.

3. People can and will make mistakes. It is way too easy to click on the next thing before your brain kicks in and you say to yourself, "What did that say?" Assuming people are paying attention all the time is ludicrous. Arranging things so they are better able to pay attention is possible.

Assume that you need to compute defensively. Your assumption that someone else will keep an e mail conversation private may not be their assumption, for example. What you post on FaceBook might get seen by your boss.

If programmers did not make mistakes, our code would be perfectly secure, our firewalls would be 100% effective, and spam would never get through. Relax and realize that mistakes have to happen. Then think about the steps you can take to keep data available to those who need it, secure from tampering or deletion, and unavailable to those who should not have it. You must have a business continuity plan for when an incident occurs. While prevention beats remediation every time, you will not be able to prevent everything. Failing to plan is planning to fail.

The most dangerous people are the smart, trusted ones. You are not likely to let a baby play with a hammer, but you may let an experienced network technician work on your network. However, he may forget to reset something after testing and leave you with a security hole. If you think something is not right, talk to someone about it. Yes....Even I make mistakes. Heck, what husband does not? (grin)

4. Acting in a risky way is fun! Dumb, but fun. People get an almost irresistible urge to say something about a bomb when they read the sign saying not to do so in the airport. If the speed limit is 50, they get excited driving 55 or more. They may be even more apt to do something silly if nothing has happened to them before ("It will not happen to me.") or it just happened recently ("What are the chances it will happen to me again?"). Even though I tell people not to click on suspicious links, there is a good chance some will just to see what happens. You have to take risks every day. Assume everyone will make unsafe choices and you will be more ready for when the poked bear decides to eat you.

5. There is no perfect safety in life. Expect that something bad not only can happen, but will happen. Be ready for when it does. There is no magic cyber safety pill you can take and be safe, just as you cannot take one to cross the street safely. Unrealistic expectations are decidedly unsafe.

6. Protect against your most likely and dangerous threats first. People are very poor at judging real risk. Talk to experts. Sharks are scary, but falls are much more likely. A burglar stealing all your computers is scary, but losing your phone or dropping your laptop is a lot more likely. Someone asking for your social security and credit card numbers is one to watch more closely than one asking for your mailing address.

7. Seek out training on how to be cyber safe. Renew your knowledge continually as you will forget things and threats will evolve. Practice what you learn so that it becomes automatic. Review your tools and techniques on a continuing basis to see what you can improve.

8. See something? Ask! Cyber safety is something we all do together. If you do not know something, ask. If you think someone is doing something unsafe, point it out. Everyone should feel free to point out safety issues, including cyber safety ones, to each other and those in higher positions, if necessary. All technicians should be prepared to deal with cyber safety questions. Management needs to know of anyone doing something unsafe in the work place, both on and off line.

9. The best cyber safety moves you can make are simple ones. The worst ones you can make are ones that are onerous that people feel they need to work around. A good example is turning off equipment you do not plan to use for a while. A bad example is making passwords so complicated that people feel they have to keep them on sticky notes on their monitors.

10. Get help! You are going to need software, hardware, training, technical support, and consultants/auditors to keep you safe. You do not need to do everything yourself, but you do need to understand and work with others to make your environment safer. Getting help does involve buying into cyber safety products, but there is no magic pill. If something goes wrong, you also need to know who to call on for help. [Try us!]

11. Less is always more when it comes to safety. The fewer programs (tools) you have to use, the less likely you are to have an issue as you will likely know them all better. If you do not keep sensitive data like credit card numbers lying around, then they cannot be stolen. Data elimination is a good way to decrease costs, increase efficiency, and decrease the potential for a cyber safety incident. Simplify whenever you can. Well understood systems and processes are safer.

12. Computing will follow people home and wherever they go. Your cyber safety program needs to encourage safe behavior *everywhere*.

13. KISS me! Cyber safety policies, procedures, and standards are necessary, but useless unless you have everyone buying in and long term management support, training, and funding. This is why the KISS (Keep It Simple, Stupid) rule is so important. Make your cyber safety as simple and automatic as you can, so people can do it as a matter of course. If people have to think hard about what to do in a crisis, for example, then they probably will not do well. Drills and training will help, but statistically few will actually make such an effort. The best safety measures involve easy and automatic stuff you do routinely as part of your normal work.

14. "We have met the enemy and he is us." (Walt Kelly/Pogo) You can and will ignore or circumvent safe practices at times. It may even be necessary to do so. Be sure to have someone looking over your shoulder when you do and helping you return to a safe state later.

15. Safety is not a one time task. Things break, grow old, and cease to work well. You may change the way you work. As you adapt to a new environment, keep safety in mind. Safety should be part of your every day process and thinking. Do not make the assumption you can "set and forget" something related to your safety. No "magic pill" will make you safe.

If you want concrete ideas tailored to your own particular situation to improve your safety, call Iron Horse!

©2016 Tony Stirk, Iron Horse