Lora O'Haver
Senior Solutions Marketing Manager

Cyber security is just like recycling

October 16, 2018 by Lora O'Haver


Cyber security is everyone's responsibility

Cybercrime is widespread and affects organizations and individuals in every industry and geography. Earlier this year, CNBC reported the total cost of cybercrime in 2017 was estimated at $600 billion or .8% of global GDP [1]. Nothing less than an all-hands-on-deck approach is needed to make a dent in this pandemic. Many of the important defenses are technology based and implemented by professionals, but there is also plenty we can do as individuals.

The problem we face reminds me of the global effort to reduce waste and promote recycling. According to Time’s History of Recycling in America, “What happened in the 1960s and 1970s wasn’t that recycling was invented, but that the reasons for it changed. …Americans began to recycle in order to deal with the massive amounts of waste produced [2]." A concerted effort was made to educate the population about the consequences of their individual actions. Technology changes were simultaneous and fundamental to success (after all, what good is separating your trash if there is no way to process it), but a big emphasis was placed on making better decisions to reduce what goes into our landfills.

Get educated

Following the recycling example, the first step to improving cyber hygiene is to overcome the tendency to think individual actions are immaterial to the bigger problem. In cybersecurity, one person’s lack of action, thoughtless click, or inattention to detail can cause a cascading impact on an organization. Many companies run continuous simulations to “catch” employees making bad decisions and educate them about the potential consequences.

Today, great educational material on cyber hygiene is available from industry trade organizations like  NSCA,NIST, the American Bar Association; educational institutions like Carnegie Mellon and Stanford; technology trade journals and many security vendors. The U.S. Congress has even entertained a bill in both chambers to ask the National Institute for Standards and Technology (NIST) to develop concise guidelines for basic security measures [3].

Practice good hygiene

The next step in a successful awareness campaign is to point out specific areas for change in behavior. A comprehensive list of cyber hygiene practices is beyond the scope of a single blog, but to get you started, here are five basics every employee should keep in mind:

  1. Be very aware of phishing. According to the 2018 Trustwave Global Security Report, phishing and social engineering was the leading cause of cyberattacks (55 percent) in corporate networks [4]. The most common phishing attacks arrive in very authentic looking emails from entities you do business with (Amazon, Apple, your bank, the I.R.S.) and ask you to verify your login or personal information. A recent trend is to imitate high level executives asking a lower level person to make a special effort on their behalf, often involving the transfer of money. Who doesn’t want to help the boss in a pinch? The ‘VP of HR’ in my company recently asked me to print out a map of my floor marked with fire exits and post in my cubicle for safety purposes. Yikes, I nearly fell for that one.
  2. Be suspicious of unexpected PDF and Word docs. PDFs are frequently used to trick a victim into clicking an embedded URL. Instead of accessing supposedly ‘secure content,’ the victim ends up at an attack site. Most of us can’t stop using Adobe or Word, but we can make it a rule to never open a PDF attached to a SPAM email and to verify documents we were not expecting to receive with the sender before opening. It is also a good practice to disable JavaScript from executing automatically upon opening a PDF.
  3. Take password security seriously. It is annoying to keep passwords updated, but attackers are benefitting handsomely from our laziness. Protect your accounts with strong, unique passwords and change your passwords whenever you are prompted. Avoid using the same password for all your important accounts. If it’s too overwhelming, use a password management service to help.
  4. Keep devices updated and secure. The proliferation of connected devices has given attackers many new entry points to a network. No matter how careful equipment manufacturers are, gaps and vulnerabilities in the physical devices and software are inevitable. It is very important to follow your employer’s policy regarding the use of secure devices and keep those devices updated as directed.
  5. Be careful with public networks. Accessing personal information on an unprotected public Wi-Fi network is like broadcasting your entire screen to the world. Just because the network owner requires you to login does not make the network secure and you should have no expectation your interactions are private. Using your company’s VPN offers some protection, but check with your company before assuming that is enough.

Behavior change matters

Beyond these five practices, commit to finding out more about cyber hygiene and following your employer’s directions to keep resources secure. Like recycling, we can make cyber hygiene a success and reduce cyberattacks by being aware of the consequences of our actions, educating ourselves, and making the extra effort to be part of the solution instead of part of the problem.

[1] Lynette Lau: Cybercrime ‘pandemic’ may have cost the world $600 billion last year, CNBC.com, Feb. 22, 2018.

[2] Olivia B. Waxman: The History of Recycling in America is More Complicated Than You Think, Time.com, Nov. 15, 2016.

[3] Shaun Waterman: Bipartisan bill tells NIST to develop ‘cyber-hygiene’ guide for public, Cyberscoop.com, June 30, 2017.

[4] Trustwave: 2018 Global Security Report, April 5, 2018, accessed online.