May 13, 2016
How to Cultivate an Info Sec Mindset
May 13, 2016
Do you have an information security mindset?Consider these scenarios:
Yesterday, I received a PDF form to fill out from a mortgage company that required me to provide my social security number and send the document as an email attachment.
The other day, I downloaded an ISO file over an HTTP connection and never bothered to validate the checksum.
A few weeks ago, I paid the tuition fee for a University course, providing my credit card number, expiration and security pin over the phone to a person I don't know and have never met.These are just a few events I remember - in addition to the hundreds of times I swiped my credit card at grocery stores, coffee places, department stores and shared personally identifiable information without even thinking twice about:
- how the data is processed
- how the information will be used
- who, other than the entity I had the transaction with, will be able to get access to this whole plethora of information about me
1- Be careful sharing your social security number, driver’s license number, credit card number, full name, address and phone number. Always ask why is the information required and if there is an exception process. If you are still required to provide this information, check if the medium is secure and insist on knowing what happens to the information you have provided. How long will this information be stored or retained? How will it be destroyed when not required?
Anytime you're in a situation that requires you to share PII information, ask yourself, why do I need to share this information? What will my information be used for and by whom? Am I willing to accept the risk of this information becoming public? Is any of this information already public? Sometimes, you'll realize the risk is really low and decide not to worry about it.
2- Safely store, in your house, in the car or at your desk, from prying eyes, physical documents like bills, credit card, bank, mortgage, insurance statements and basically any document with your personally identifiable information. Use password protected zip files or encrypted storage drives to store these documents online or send them as an attachment to an email.For example, you can use 7zip to store data in compressed format with password protection. Use bit locker to encrypt your storage drive, including USB sticks if you are using Windows. Use a tool like VeraCrypt if you want to store on secure volumes. There are many more tools to research and use as per your needs.
The questions to ask yourself: What can this information be used for? What are potential consequences of this information falling into the wrong hands? Who stands to benefit from this information? How can I keep my information secure?
3 - Do not wear your company ID in public. Remove or hide any assets like parking pass or other forms of authentication and authorization to get in and out of an establishment when you don't require them.
The questions to ask are: What can someone do if they found my ID and use it to gain access to my company? Who would stand to gain from doing this and what can I do to keep my workplace secure and reduce my liability?
4 - Be careful of shoulder surfing in public places while reading emails or documents that display PII. When reading emails or documents in public spaces, always hold the phone or personal computer close to your chest or cover with your body as much as possible. You could also use a security screen that only allows reading at an angle. Use VPN software to protect your information from eavesdropping when surfing over public WiFi. These days, VPN's are cheap and easy to implement using apps.
The questions to ask are: Is this a safe place to read this document? What can this information be used for? Who stands to profit from this information? How can I keep this information secure?
5- When in, doubt pay by cash. Avoid using your credit card at shady looking establishments, especially at farmer’s markets, small shops and merchants where you feel that the point of sale terminal or credit card processing tool is not secure. I know this is more of a perception than anything else. But, believe me, the times when you get a feeling something's wrong, you're right.
The questions to ask are: Is this place secure to use my credit card? Am I willing to take the risk? What happens if my credit card is compromised, do I have the time and energy to deal with the consequences right now? Sometimes, the answer is yes! I'm willing to take the risk. I don't have cash and this is urgent. I'm ready to bear the consequences. So, make your decisions according to the situation.We face these, and many more decision points every day. That's why maintaining an information security mindset matters. Maintaining an information security mindset is a daily discipline. The more you do, the better you get. As mentioned above, don't get paranoid about information security, but keep asking questions and keep looking for the answers to help you reduce your risk and enlighten others of an information breach and its consequences.