Headline
Achieve Next-Level Security Awareness by Creating Secure Social Norms
By committing to build secure habits at work and in our personal lives, and to helping others do the same, our personal information will be much better protected.
Source: Aleksey Funtap via Alamy Stock Photo
COMMENTARY
In the world of cybersecurity, we often hear the saying, “It’s not a matter of if, but when.” While this is said mostly in reference to security breaches, it could also be used to remind us that secure social habits reduce the likelihood of those breaches happening in the first place.
Throughout my career in cybersecurity, I’ve observed a high level of security carelessness, even among security professionals. This is problematic because one individual’s insecure behavior can cause others to be less secure as well. Remember the human behavior studies that showed the tendency to litter is higher if a person sees litter all around them? It’s the same for cybersecurity. If we see insecure behaviors all around us, we are less motivated to improve security practices.
The good news is that change can truly happen, and it can start with one person: you.
What Are Secure Social Norms, and Why Create Them?
Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society. Secure social norms can be established at two levels: The general level that focuses on what everyone needs to know about protecting information, and the role-based level that pertains to groups of people performing specific tasks.
Consider the example of protecting personal identifiable information (PII). While organizations are bound to protect the personal information of their employees and customers, it is up to individuals to take action to secure their data, and to help others learn how to do so as well. Not doing this can lead to financial loss, identity theft, and so much more.
Security professionals have a unique opportunity to transform security awareness concepts into social norms and actions. By doing so, we elevate the security culture all around us. Now is the time to step up and become the team member who practices secure behaviors and inspires others to do the same.
Steps for Establishing Secure Social Norms
Below are some practices security practitioners can adopt to establish secure social norms for ourselves and everyone around us.
1. Make data security relatable and actionable.
Launching a security awareness campaign that helps people understand PII in tangible, everyday terms can be a great way to teach people how to protect their personal data. Always use brief, clear language to explain security words and topics. When sharing tips and best practices, provide examples. And be sure to spell out the specific actions to take to be more secure, as well as the positive impact it can have.
2. Educate people on what constitutes PII and how to protect it.
The more we use apps and websites, the more important it is to know how our personal information can be accessed, how it might be used, and when we should not share it. Below are some key examples to help develop a security mindset:
Safeguard the primary identifier. A Social Security number is the critical primary identifier of an individual within the United States. If you reside outside the US, find out what the primary identifier is for your country.
Protect your banking information. Your bank account number should be carefully protected. A stolen bank account number can be used to commit fraud on fintech platforms.
Know other elements that can be considered PII. Your IP address, school, and degree are all PII. When isolated, this information may not be used to identify you. However, when collected and used together, it can pinpoint you.
Set up multifactor authentication. Adding multifactor authentication is an easy way to protect your accounts. However, numerous organizations ask only for usernames and passwords. This lack of focus on using strong credentials is disappointing. Stolen PII can be used to take over an individual’s identity in order to open bank accounts, apply for loans, and more.
Beware of social engineering scams. Phishing messages from senders who impersonate close friends and family are common ways fraudsters target individuals. Read the Federal Trade Commission’s guidance to learn how to protect yourself.
Build consistent and secure social norms at places you frequent often. You might not think about protecting your data when going to the supermarket. However, be wary when the checkout clerk asks for your phone number or email address. Don’t be embarrassed to ask why they need this information. Develop a habit of being inquisitive about such requests.
Protect your data when seeking expert advice. If you are looking for professional support like tax or legal services, ask them how they protect your information. Some services may not have the bandwidth to focus on customer data security. Go with a reputable firm that has a lot at stake.
Safeguard protected health information (PHI). PHI is information in a medical record or designated record set that was created, used, or disclosed in the course of providing a health care service and can be used to identify an individual.
Develop a habit of knowing the privacy policy of any website where you open an account. Most websites are required to ask how you want your data to be shared. Choose the option that protects you the most.
Obtain an identity protection service. It’s a no-brainer. It’s advisable to freeze your credit in all three credit bureaus: Equifax, Experian, and Transunion. This option is available free of charge and ensures that no new accounts can be fraudulently opened. It isn’t sufficient to get protection from just one of the credit bureaus — you need all three.
You Can Make a Difference
We know much more about security today; the issue is that we don’t act on it. If we commit to build secure habits and help others do the same, we can be much better protected. If we don’t take action, the costs and its outcome will be significant. Instead of simply hearing about someone else’s security breach, we will be the ones affected. Remember, it’s not a matter of if, but when.
This content is not intended to provide tax, legal, or financial advice. Please consult your adviser with any questions.
About the Author(s)
Director of Information Security, BILL
Sriram Dandapani is a seasoned cybersecurity leader with a strong engineering background and a passion for executing enterprise-wide initiatives critical to the infrastructure. Sriram also enjoys mentoring early-in-career security practitioners and dedicates his time to building security awareness with the engineering community. Before joining BILL, Sriram held leadership and senior technical positions at Lifelock, Nimble Storage, and BT Counterpane. Sriram has a master’s in computer science (data science) from the University of Illinois Urbana, Champaign, and has obtained the Stanford LEAD professional certificate for driving innovation and change.