Cybersecurity is a problem impacting many aspects of our lives, including cyber-attacks within our home’s environment. Read more to know how to foster security at home.
Penetration testers will often say that users are the weakest link. The number of breaches that can be traced back to a single user falling victim to social engineering, a targeted spear phishing attack, a cast-netting attack that blanketed the organization, or some other user-focused vector supports this conjecture. And, while many organizations have a robust user training program in place, experience has shown that training alone is not enough.
Cybersecurity needs to be at a cultural level both at home, and at work, if users are to become part of the solution instead of part of the attack surface.
The usual, obvious, starting point for making users less of a target is user education. Educated users know they are a target and know the sorts of attacks likely to be used against them. And, as they say, knowing is half the battle. But user education doesn’t always have the desired effect in the way of improved security often due to a lack of retention. Many penetration testers have stories of catching users with cast-net or spear phishing attacks within a week of said users receiving their annual mandated information security training.
The challenge is that Social Engineers have been perfecting their craft for generations, leveraging arts that have been used in one form or another since the dawn of civilization. These attacks are all some form of con and, as we’ve seen, cons work. The modern world has made the Social Engineers life much easier. There is so much information available about us on the internet, both freely shared and acquired through less obvious means, that someone who wants to target us has all the information they need to build a convincing hook.
Our challenge is not taking the bait when it’s presented in an inviting and seemingly innocent form.
Another challenge is that the current state of the working world is largely remote. We work from home, which makes it harder to clearly separate our home lives from our working lives. For many people, that means we get calls, texts, and emails from both worlds simultaneously. With our kids remote schooling, we have to add another layer of communication into the mix. Our personal and business emails and contacts are in front of us all the time and for some people it can be hard to switch mental gears quickly and consistently.
Attackers know this and will try to leverage it to their advantage.
This is one of the places where conventional user education can be lacking. Many of the programs focus on the business aspects of communication without emphasizing the same level of care in dealing with our personal interactions. There is always the hope that skills learned at work will go home with the users, but we know from experience that the lessons don’t always take. Ultimately, the business culture can help drive the security lessons home in ways that go home.
It’s been said that “it’s not paranoia if they really are out to get you.” And the fact is that cybercriminals and even sometimes State level malicious actors are out to get the collective us. But we don’t want our users to be paranoid. We want them to be aware and be careful. We want that care to go home with our users, and for them to extend that care to the rest of their household.
Our corporate cultures need to support that Careful and Aware attitude. Leadership buy-in at the top supports that at work, which in turn helps our users set the tone for their own personal environments. It’s much easier to teach the kids at home to use care online when you are doing it yourself.
As with our work environments, our home environments need to be run securely as well. It’s true that few home users have the skill and resources to set up their own secure environments. However, there are a range of home-scale security tools and best practices that would work well at home. Firewalls, anti-virus, anti-malware, and spam filtering tools are available as part of nearly every operating system, email service, or home networking gear people commonly use.
Multi-factor authentication is an option for many popular social media and ecommerce websites and should be standard at work, and would making adopting it for home use simple. And while the basic “came with my computer” security options serve the basic needs, upgrading to commercial security applications is an inexpensive option. As are home-focused applications to secure email, DNS, and identity.
Where higher power commercial level security applications, such as security analytics or deception technologies, are beyond what most users would ever deploy at home, they don’t have to be. It is not unheard of for employers, and even ISP’s, to offer these features to their employees and customers. That could dramatically improve the security of home users who, now, are often business users at the same time.
Cybersecurity is a non-trivial problem, but it’s not an insurmountable challenge either. Going forward into a new normal of remote work, cybersecurity best practices can, and should, start at home.
