There are, of course, the usual provisos and warnings that still apply for 2021: watch what you click on, run the right programs, keep them up to date, don’t use work resources for personal activities. But 2020 saw the line between personal and professional lives blur due to quarantine, and in the end, security is only useful if it accounts for how real people really behave and not a mythical “ideal user.”
Tactically, the biggest immediate threat going into 2021 is ransomware, and companies must plan for being in the crosshairs even if they can’t imagine they would be targeted. Ransom pricing is on the rise, and it’s a booming industry looking for victims. Make sure you have the best prevention but also resilience, anti-fragility, and the ability to recover files and take control back when attacked. Finally, have a detection strategy in place. Outsourcing is fine, but accountability and decision making can’t be abdicated; so pick your partners, do your planning, and practice with tabletops and drills regularly.
The temptation is to just add more awareness, education, and training even though the research shows that simply training more has no benefit or even diminishing returns. The answer is to build communities, avoid preaching and lecturing, and adapt to the real men and women on the front lines. This means activating the human layer in defense. The right behavior involves communities and group accountability, but it can most importantly be gamified and even made fun and rewarding.
Instead of the threat of transgression, you can highlight the “hero of the company” and call them out for reward when they stop a phishing attack, and for the “plus one,” you can even look to gamify identification and have scoreboards and learning around quizzes, reported phishing emails, taking training and so on. The best programs get the human being to take a different action when the intuition says something is off instead of using fear and negative reinforcement after the obligatory annual hour of death-by-PowerPoint training.
There are three levels people should be thinking of during a moment of reflection on Safer Internet Day, because ultimately the bad guys will keep doing bad guy things. But it’s we the citizens of the global Internet who make it safer.
First, review your personal practices, uses of social media, uses of services, and do something tangible to improve your security, like adopting and using a password vault, perhaps. Second, take the time to think about how an attacker in your work life might take advantage of you and take some time to make sure you’re following the company policies. Be especially careful of which computers in your home are work machines, as opposed to personal, and strive to keep the two separated. Finally, think about the broader community and realize that a Safer Internet isn’t just about less identity theft or corporate breaches: it’s also about ensuring the Internet is not abused for propaganda, for bullying, for the dissemination of misinformation. We all have a responsibility to take part in debate, to apply critical thinking to our news sources, and to bring our minds to what we like or click on rather than just our emotions.