Tag: User Awareness

Password: getting the basics right

During the last week I had the opportunity to present a number of cyber security sessions for staff ahead of the start of the new academic year.   This is part of a programme of awareness development.   This year I have made a change in presenting the sessions as something related to our online activities in general, such as in our private lives, as opposed to something focussed on school systems and data.    I think this is an important change in that good cyber practices in staff and in students protect them in everyday interactions online, whether they relate to school accounts and data, or not.   One of the key discussion points in the session is that of passwords, which still remain the key method of confirming our identity when accessing online systems and data, whether these are the school MIS or personal email or social media accounts.

When we create our passwords for online services we are almost always presented by the need to include an uppercase character, number and a special character.    One of the things I ask in my cyber sessions is for attendees to think about a password they use and whether it includes an uppercase character;  Invariably, due to so called “password strength” requirements an uppercase character is included.   I then, however, ask if this character happens to be the first character.   Largely this is the case and unsurprisingly so given this is how we write with the capitals at the start of sentences.    I then ask about numbers, and if they have included a number in their password.  Again, invariably this is the case due to password strength requirements however, again I follow this up with a question in relation to whether this is the last character and again this stends to be true.    The point I am trying to prove in my session is that as human beings we have a tendency towards being predictable.

From a cyber crime point of view the more predictable we are the easier we are to hack.   If we use common passwords, if we use passwords linked to public information criminals can easily access and even if we use common patterns such as having the capital letter at the start and number at the end, all of this makes hacking all the easier.   The more unpredictable or random our passwords are, the more secure we will be.    This is why the NCSCs guidance on three random words works so well.   It creates a password with randomness built in;  the random part of three random words.   Yet, the resultant password is still easy for us to memorise, being that we simply need to remember three words.   The other key factor is it generally produces a password longer than we would normally create where a passwords strength, from the point of view of cracking a password leaked as part of a data breach, is directly linked to the length of the password.    The longer a password is, assuming it is random and not predictable, the stronger it is.   And this is one of the key points I make in my sessions, that the biggest indicator of password strength, again assuming the password isnt predictable, is its length.

I also note about the risks related to password re-use using the story of a staff member I knew who fell for a phishing email resulting in them disclosing their AppleID email and password.    When they came to me the first suggestion I made was to use the recovery functionality which would result in an email to the email account linked to the AppleID.   It was at this point that the staff member found they couldn’t access the personal email account they had used either.   The criminals, upon getting the AppleID credentials, had tried the password with the email account and found it worked.   They promptly then changed the passwords on the email account and AppleID thereby locking the staff member out.   This story perfectly illustrates why we shouldn’t re-use passwords, or at least where we should avoid re-use of passwords with services which are important to us or where they might hold high value or sensitive data.    It is at this point that I mention the use of Multi-Factor Authentication as a valuable tool for protecting accounts plus the use of password managers to help manage the increasing number of passwords we all now have.

Passwords continue to be key feature of our efforts to protect our online accounts, our data and our online digital footprint and profile.   Appropriate care in relation to passwords is one of the key basics we all need to get right if we are to reduce the risk of cyber incident and/or minimise the damage when an incident happens.    It isnt a fun, sexy or particularly technical method of protecting ourselves online, however it is something we all just need to consider and get right.

Building user awareness

When thinking about cyber security the first area I always put first is developing user awareness as to the risks and what they need to do should they make an error.  Given that most data breaches tend to have user involvement at some point in the incident, often at the beginning, it seems logical to focus first on user awareness, but how do you build user awareness in a busy school?

The old inset model (Compliance)

This is the model by which the training is put on once per year likely at the start of the year with everyone in the school forced to attend.   For me this approach is more about compliance than about improving awareness or understanding.    It makes it easy to prove that all users have been “trained” as you can point to an attendance sheet for example, however in the busy world of schools it is likely a fair part of your audience will be focussing on other tasks rather than the content being presented.   It doesn’t necessarily result in users being more informed and aware of cyber risks than they were prior to the session.  This approach also fails to take into account the constant evolution of cyber threats and the cyber threat landscape.    As such, this model of the once per year training event is no longer sufficient on its own although it still makes for a useful approach when combined with other approaches.

Regular communications and updates

My favoured model of cyber awareness development can be summarised as “little and often”.   I make use of the schools regular bulletin to share examples of phishing emails received in the school, plus tips on how to identify them.  I am increasingly making use of video to share short presentations of 3 or 4 minutes long outlining emerging risks or emerging trends.    The key for me is to make cyber security awareness content something that all users consistently come into contact with on a weekly basis.   Hopefully by doing so they will be more concious of the risks.  Basically, I am using the availability bias to hopefully develop user awareness.

I will also note one important thing here is to vary the content as if the content is always the same it may eventually become ineffective.  As such I use a mix of my own video content, NCSC and other cyber organisations video content, written content with annotated screenshots and even the odd cyber security sea shanty (See here for the cyber sea shanty if you are interested.)

Testing

One of the big things about awareness development is being able to test that it is working.    If your training is about compliance the only test you need is to check that your attendance list has everyone’s name on it but if you are truly after user awareness development you need to check that users awareness has actually developed.   An easy approach to this might be a simple short quiz including alongside new awareness content, with a focus on helping users identify what they don’t know rather than centrally providing scores.   A centralised focus on these scores once again is more about compliance rather than the actual users and user development.   An alternative approach might be regular phishing awareness tests to see whether users fall for a phishing email, or whether they report the issue.   Reducing numbers of users falling for such tests, and increasing numbers of users reporting emails to IT teams both representing improvements in user cyber awareness.

Fear of reporting

Another big challenge is trying to ensure users understand the importance of their vigilance and care in relation to cyber security, and the size of the risk both to them, to the wider staff and students and to the school/college as a whole.    The balance here though is that we need to balance this out against creating fear in users to the point that either they are reluctant to use technology or are reluctant to report concerns or issues. 

For me encouraging people to report is critical both in terms of quickly identifying any issues, but equally importantly in terms of identifying misunderstandings or near misses.   From this information we can refine training and awareness development approaches.    We can basically seek to use the ongoing reports to continually learn and develop as an organisation, in relation to cyber security.

Conclusion: Building a culture (The long road)

It still worries me that some organisations continue to treat cyber security and also data protection as a compliance issue;   For me this is a shallow approach.  The true challenge should be to develop user awareness such that we shouldn’t need to be too concerned in relation to compliance.  

Awareness development in my view isnt a single training session or even a number of training events, tests, etc over the course of a term or academic year.   It’s a longer term project.    Its about building a cyber security culture which isnt a case of days or months, but can be best measured in years.    As such the sooner we all get started with this the better.