The reason I bring up rehashing previous messages is because so many (including most column topics) have been stated before. Most donât need to be mentioned again, but there are a few worthy ideas that havenât been stated enoughâat least, not enough to have a useful, significant or measurable impact. Thereâs nothing new under the sun, but some items deserve wider distribution than theyâve gotten so far.
One oft-repeated idea that could still use more understanding if not exposure is that âhumans are the most important variable in successful and consistent cybersecurity.â
Weâve all heard this one before. I may be overreacting, but in the process control and automation realm, it seems like every cybersecurity-related product, switch, module, box, software, strategy, initiative, network, platform and architecture brings it up.
Now, Iâm not saying that humans donât have a critical impact on upholding or defeating cybersecurity solutions, but why does this concept keep boomeranging back? Itâs almost like a product disclaimer. âThe most secure password or firewall is no good if you donât turn it on.â
[pullquote]So, why all the steady reminders? I think itâs because our collective missteps are the one monkey wrench that all the security experts and developers canât change. Innovative and useful cybersecurity devices and software and modules arenât easy to design and build, but theyâre apparently much easier to develop than getting people to alter or improve their habitsâor even be aware of them. Heck, just a couple of hours after I and my colleagues attended a recent user group session on basic cybersecurity, and got some stern advice on not posting bar-hopping photos on social media, what did we do? We posed for photos with drinks, and posted them on Facebook. The shots were tame and inoffensive, but the timing and irony were severe.
So, is there a way to address the human impact on cybersecurity? Well, what do we want? Some good cybersecurity practices include: turn on passwords; donât plug in untested USB sticks; donât open even slightly suspicious emails or PDF files; inventory all Ethernet/IP-enabled ports; segment your networks into functional zones with managed Ethernet switches acting as firewalls; develop and use software patching policies; and continuously monitor your network traffic for unusual activity.
Second, how can we and out fellow humans make these practices happen? No surprise. We need to do the dreaded talking with each other againâthe activity that engineers, technicians and, I think, pretty much everyone else seems to avoid at all costs. Iâm close to 9,000 or 10,000 interviews in my career, and I still get nervous.
Nevertheless, there has to be a way to make these discussions, meetings and training sessions easier, whether theyâre about cybersecurity or some other topic that needs us to get on the same page. Now that itâs mostly summer, how about holding some talks and meetings outside? How about a lunch-and-learn picnic?
Maybe start a cross-departmental or intra-organizational cybersecurity club or practice group. Maybe have a cybersecurity potluck? Personally, Iâm always willing to listen to and canât be objective about anyone who feeds me.
[javascriptSnippet]
I sure wish there was a cybersecurity skills board game or some kind of competition. Maybe there already is. The point is to get participants to practice good cybersecurity habits, so they become rituals like brushing our teeth. Iâm well aware that some things just have to be drilled into my head, but that doesnât mean I canât make the best of it and perhaps enjoy the ride. Granted, we and our devices and networks canât be 100% secure, but we can sure improve the odds with just a little more personal ownership and improved behavior.