Cybersecurity leaders are tasked with protecting their organizations from external and, sometimes, internal threats. But if CISOs and other technology leaders are not adhering to the same standards that they extoll to fellow workers, then the cybersecurity message might fall on deaf ears.
For technology leaders, a “do as I say, not as I do,” stance could lead to a security breach. These professionals are in a position to lead by example, sticking to cyber hygiene best practices in their day-to-day work.
“You think more like a cop in terms of how people are trying to get one over on me and what tools are they using to do that,” said Andrew Marshall, CIO of Campus Apartments. “It gives you a situational awareness that you probably wouldn’t have if you weren’t engaged in it on a daily or frequent basis.”
Here’s how technology professionals can infuse cybersecurity into their daily routines.
Practice password precaution
Not all cybersecurity leaders follow their own advice. A study from Constella Intelligence found in 2021 that one in four IT security leaders re-use the same password for work and personal logins, and 39% hadn’t changed their work email passwords in the last 30 days.
Hopefully, security leaders have improved their security posture over the last four years, but basic cyber hygiene continues to be a problem in general. A recent CNET survey found that nearly half of U.S. adults have risky password habits, like reusing passwords or creating passwords with personal data. Almost one-quarter use a password that's shared with another account.
Jim Chilton, CTO at Cengage Group, uses password protectors and password navigators in both his professional and personal lives. He has separate password tools for each so that those passwords are not remotely similar. This is something he encourages fellow employees to do as well, instead of “taking a semi complex password and adding an exclamation point or one to each one,” he said.
Marshall also uses multifactor verification via dedicated apps instead of text messaging. While text messages can be convenient, they’re also unencrypted, and SMS messages are a prime vector of scams.
For Campus Apartments, not using text SMS is company policy. They want employees to message each other via apps like Slack instead.
“We don’t allow the use of text SMS messaging because in a business context, it is very hard to track,” Marshall said.
Repel phishing — at work and at home
Educating employees about phishing is critical to any security-cautious company. Being skeptical can be taught.
“An element of caution gets introduced into your personal life and family’s personal life because that’s the way you think all the time,” said Marshall.
A preventive mindset can lead employees into becoming more skeptical. He said his wife recently received a notification about a class action lawsuit and immediately asked if it was a scam. “It’s really beneficial to be deeply suspicious about everything.”
He is also careful about what information he puts on social media, so that it can’t be used as part of a social engineering phishing attack.
Don’t mix personal and work devices
Doing personal tasks on a work device can open the door to cybercriminals.
Chilton keeps things separate. “My work world and my home world are very different things," he said. He has devices for each, and also keeps his home office on a separate network than his actual home. He also makes sure that any IoT connected devices in his home, like a Nest Thermostat or Alexa devices, are all up to date. He limits the number of apps on any of his devices, and won’t put personal apps on work devices, or vice versa.
Despite taking these preventive measures that he would hope any employee would, he doesn’t necessarily use himself as an example. Not everyone is living in the cybersecurity world every day, and shouldn’t be expected to have that deep kind of security understanding as he would.
Instead, he tries to use real life examples with employees about where they might make a mistake, and how to prevent it. One impactful session was focused on how an executive’s paycheck ended up going into the wrong bank account, with the full cooperation of the executive. This is "showing the average person a much better example,” he said.
