Stop me if you’ve heard this one. Just kidding. Although, because this is text and not audio, you could shut me up if you just quit reading. However, if you continue, then I’ll just keep babbling to the end of the page as usual.
The reason I bring up rehashing previous messages is because so many (including most column topics) have been stated before. Most don’t need to be mentioned again, but there are a few worthy ideas that haven’t been stated enough—at least, not enough to have a useful, significant or measurable impact. There’s nothing new under the sun, but some items deserve wider distribution than they’ve gotten so far.
One oft-repeated idea that could still use more understanding if not exposure is that “humans are the most important variable in successful and consistent cybersecurity.”
We’ve all heard this one before. I may be overreacting, but in the process control and automation realm, it seems like every cybersecurity-related product, switch, module, box, software, strategy, initiative, network, platform and architecture brings it up.
Now, I’m not saying that humans don’t have a critical impact on upholding or defeating cybersecurity solutions, but why does this concept keep boomeranging back? It’s almost like a product disclaimer. “The most secure password or firewall is no good if you don’t turn it on.”
So, why all the steady reminders? I think it’s because our collective missteps are the one monkey wrench that all the security experts and developers can’t change. Innovative and useful cybersecurity devices and software and modules aren’t easy to design and build, but they’re apparently much easier to develop than getting people to alter or improve their habits—or even be aware of them. Heck, just a couple of hours after I and my colleagues attended a recent user group session on basic cybersecurity, and got some stern advice on not posting bar-hopping photos on social media, what did we do? We posed for photos with drinks, and posted them on Facebook. The shots were tame and inoffensive, but the timing and irony were severe.
So, is there a way to address the human impact on cybersecurity? Well, what do we want? Some good cybersecurity practices include: turn on passwords; don’t plug in untested USB sticks; don’t open even slightly suspicious emails or PDF files; inventory all Ethernet/IP-enabled ports; segment your networks into functional zones with managed Ethernet switches acting as firewalls; develop and use software patching policies; and continuously monitor your network traffic for unusual activity.
Second, how can we and out fellow humans make these practices happen? No surprise. We need to do the dreaded talking with each other again—the activity that engineers, technicians and, I think, pretty much everyone else seems to avoid at all costs. I’m close to 9,000 or 10,000 interviews in my career, and I still get nervous.
Nevertheless, there has to be a way to make these discussions, meetings and training sessions easier, whether they’re about cybersecurity or some other topic that needs us to get on the same page. Now that it’s mostly summer, how about holding some talks and meetings outside? How about a lunch-and-learn picnic?
Maybe start a cross-departmental or intra-organizational cybersecurity club or practice group. Maybe have a cybersecurity potluck? Personally, I’m always willing to listen to and can’t be objective about anyone who feeds me.
I sure wish there was a cybersecurity skills board game or some kind of competition. Maybe there already is. The point is to get participants to practice good cybersecurity habits, so they become rituals like brushing our teeth. I’m well aware that some things just have to be drilled into my head, but that doesn’t mean I can’t make the best of it and perhaps enjoy the ride. Granted, we and our devices and networks can’t be 100% secure, but we can sure improve the odds with just a little more personal ownership and improved behavior.