Cybercommunity - We are a problem
Another year, another load of articles saying that cyber threats are the worst they have ever been. Yet, still, consistently, the worst thing is the attitude of some cyber practitioners. Day after day, month after month, we see silly comments loaded with attitude from our professional community. This attitude plays a key part in why the cyber risk is getting worse.
``Look at company X, how dare they don’t do security, they are just crap” etc etc.
This attitude is toxic, for several reasons - but it is also incredibly stupid. Why? Well, so far, the most prevalent cybersecurity people on LinkedIn that go after companies publicly have just a proven track record of their ineptitude (along with anyone that goes along with it spreading it without verifying), because 99% of cases are complete false positives. Additionally, so far, since I am that guy - most of the people stating these blindingly obvious vulnerabilities they have detected (their words, not mine) on these companies have got serious critical issues of their own. Therefore they end up cementing the ``do as I say, not as I do” approach to cybersecurity, which isn’t my recommended security posture for any organisation.
However, let’s say for argument’s sake, they do find a vulnerability, it is genuine. And you report it as a personal ego boost or an advert for your cyber company. Let’s break that down.
If I found your wallet in the street, I would find you by using the name on your credit card on social media, and attempt to contact you. If I couldn’t find you, I would then hand the wallet to a local police station, and go about my day.
I would not take a picture of your credit card, front and back, and put it on a website tagging the person saying “this person is a complete moron. Left their wallet in the street. Exposed their own credit card!”
Catch my drift? If you do this, please do add the letters ‘un’ into your job title of Ethical Hacker.
However, my biggest gripe with this attitude is the fact that if that is how you communicate externally about this, it affects how you communicate your cybersecurity risks and issues internally, to your company, to your friends, and this makes a huge problem.
People make mistakes. People have lives. During a time of a crisis, an incident, or a security vulnerability, they need to know that there is a friendly neighbourhood cyberperson available who will help, guide, train, nurture, and assist in a way that betters cybersecurity as a whole.
What they don’t need is someone going immediately to ``Hands of Blaming Stations”. If we had an accident on a ship, like I had when HMS Grimsby decided to become the little ship that could become a Tank in Norway, we decided to deal with the flood and crisis first, rather than work out who was to blame. That focus, the `After Action Report’, if you will, is important, but can happen at another time - and you focus on roles and positions, not names, to stop it from becoming the blame game.
All of this concludes into something we should understand about people. Labelling Theory. If you don’t know it, and you are working in cyber, you should. There are more than enough resources to learn about how your communications can be affected by this, but in a very simple sentence;
“If you treat victims of cybersecurity attacks as idiots, they will comply.”
Victim blaming creates more cybersecurity incidents. Communication breakdowns create more cybersecurity incidents. People not approaching you at the stage when it is a cybersecurity event before it develops into an incident creates more cybersecurity incidents.
On a serious note, we have to better educate ourselves about the fact that things change. I still see companies and organisations recommending three monthly changing passwords, even though we know these reduce your security posture. I still see places using insane password complexity rules that make it impossible for a human to remember, but easy for a computer to crack.
In summary, if you think you are an Expert in everything, you are in the wrong field. Break down these barriers. Become the go to in your organisation. Publicly praise when things go well, quietly educate and lead when things go wrong.
Don’t be “that guy”.