Watch for bold keywords which make excellent talking points with technical advisers.
When I speak about using secure passwords, it’s often met with eye rolling, sighing, or recounting of frustrations with remembering passwords. I get it, but I can’t really change my message. It’s a core tenant of basic security practices. But people are dismissive of more than just long passwords; it’s security-related inconvenience in general — especially when related to computers and accounts.
I’d like to highlight the value of difficulty and hopefully alter your paradigm.
Let’s start with a story
It’s raining and you arrive home and have a double-armload of groceries to carry into the house. Approaching the door, you’ve forgotten to get your house key out, so you dig for it. Struggling and juggling, a glass jar and several other items crash to the ground. Soaked, you finally find the key. Once you get the door unlocked, you sop inside, frustrated with the whole process.
An alternate story
It’s raining and you arrive home with the same armload of groceries. Getting inside quickly is no sweat, since you left the front door wide open to make it easy to get in and out. You hurry inside, barely wet, and put away your groceries, patting yourself on the back for how convenient you’ve made your life.
I'm sure you see where I’m going. Essentially, it’s OK for some things to be hard. If you came home to see your front door open, what would you feel in the pit of your stomach? Would you call the police? We keep our homes and cars locked, even though it might cause us to be stuck in the rain or we might lose our keys and be locked out. We do this because it is an acceptable inconvenience. We see the value of locks, despite the extra effort required. Security is all about making something difficult for others to access. So if a slight inconvenience to you adds significant difficulty for an attacker, there's really no more evaluation needed.
Why don’t we feel the same about securing our computers as we do about securing our homes?
How sensitive or critical is the information accessible from your computer, your phone, and your online accounts? Isn’t that worth some effort protecting? If an attacker can get into your email, he can use it to reset all your online account passwords while you sleep. How much of your life could be controlled from just your email account?
Of course, there is deeper value for you and your business. Following security best practices may yield lower cyber insurance insurance premiums and protect against actual and reputational damage or fines. Demonstrable competence in security can also boost member confidence (tip: avoid security theater, which leads to a false sense of security). The benefits of security are myriad, though are often difficult to quantify, especially from your IT guy; for an insightful read, lookup “Security’s Value Proposition” from CSO Online.
So, what to do now? To begin with, if you can be considered important in any way, you should be using 2-factor authentication on every account you can. Do this today. As for your business, request a discussion with your IT department or service provider about the CIS Top 20 Controls, which lists the most effective controls to reduce security risk. Agree on one at a time and pursue each as a little project. Quarter-by-quarter, this will drastically reduce your business' risk.
A last thought: insurance is not a substitute for security. Insurance cannot bring back your data or reputation, so it’s important to protect and maintain it properly.
I’d like to give credit and thanks to SecKC, a monthly information security conference, for the inspiration for this piece. I’d also encourage boards to show interest in the continuing education of their IT department or service provider, with an emphasis on security.