The Problem with Cyberhygiene

Cyberhygiene Dangers

It is a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it is introduced to us by others. In the simplest of examples, imagine a sign, placed next to a surface, that reads “Wet Paint.” Out of 100 people, how many do you think will touch the surface to see if it is indeed wet? The answer is always more than 50%.

This condition has a name, unsurprisingly called “Wet Paint Syndrome.” It springs from the idea that, when confronted with a situation demanding compliance, there will always be a proportion of a population that will reject the instruction, for one of a few reasons:

  • Belligerence – the refusal to be told what to do, resulting in a directly opposite reaction: You tell me not to touch the paint, so I will touch it.
  • Individual disbelief – the sign might be old, and the paint might already be dry, so I will check it myself.
  • Collective disbelief – I saw that person touch it, so I am going to touch it.
  • Cultural disbelief – the sign is fake news.
  • Ignorance – I read the sign, but the warning did not register with me as something I should pay attention to.
  • Reflex– I read the sign and, without thinking, touched the paint anyway.

Humans are guided in part by instinct and reflex. If we cannot perceive danger through our physical senses, then we cannot process it accurately. A poisonous snake, spoiled milk, the smell of smoke or the image of a pool of human blood – these are stimuli that make most people recoil. These forms of danger are accepted as real.

Cybersecurity: The Invisible Threat 

When it comes to cyberhygiene activities, the threat we seek to avert seems, to many end users, to be invisible or inconsequential. It won’t be until the actual moment when a computer screen freezes and reveals a ransomware notice that the dangers of lax security become real.

People are suffering from alert fatigue. People have grown tired of repeated requests to update their passwords and so they simply modify one digit, upgrading from “Mary123” to “Mary124”.

But here’s the kicker. When offered the opportunity to use a solution to these tedious chores, such as a password manager, people recoil even further. A password manager is an app that generates passwords out of random character strings such as 86vPH*r1en@2@4FH. These are extremely difficult and time-consuming for hackers to guess but are equally difficult for people to memorize. But when it is explained that they do not have to memorize them at all, and that the password manager simply fills them in when needed, people push back. The comfort they feel in being able to remember their passwords exceeds that of having infinitely more secure passwords they can’t memorize.

Any security specialist who has tried to explain password managers will have experienced this sort of pushback. They will likely have stopped short of trying to explain exactly how password managers encrypt passwords at a device level using a salted hashing technique where none of the components, including the master password, actually are stored by the password manager itself. This is a type of dark magic that makes most peoples’ eyes glaze over.

Password Iq Cloudtweaks

Cybersecurity Expertise Includes Some Psychology

The point is that people in general cannot sit comfortably with change because change means confronting the unknown. Cybersecurity specialists must realize just how fragile the human instinct is when they frame arguments around safety and security protocols. Sometimes it all comes down to change resistance when they hear comments like “how can I trust a password that I can’t memorize,” or “back in my day we never needed Two Factor Authentication, so I’m not using it now.

Just like a rapidly spreading virus, all it takes is one person to make that initial contact with an infected email link to penetrate the defenses of an organization and the organizations it is connected to.

A cybersecurity specialist’s portfolio of skills must include some psychology, which can be transformed into empathy, change management and communication skills. Although a central pillar of the job is to be proactive, success in the security field will not be complete until we recognize just how incompatible the concept of proactivity is with the day-to-day priorities of end users and frame our communication strategies around this.

For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.

By Steve Prentice

Lauren Brunson

The Growing Need to Consolidate Multi-Tenant Environments

Consolidate Multi-Tenant Environments Over the past four months, countless businesses and universities have scrambled to the cloud to enable their employees and students to work ...
Steve Prentice

Cloud-Based Financial Software Reinforces the 80/20 Rule of Business Management

Cloud-Based Financial Software Sponsored by Sage 50cloud Small businesses are known for being innovative and customer-focused in a way that their larger competitors cannot. This ...
Kip Compton

What’s Ahead for Cloud in 2019

The Cloud In 2019 2018 was an incredible time for cloud. Its impact on customer experiences, business processes and models, and workforce innovations was undeniable ...
Patrick Joggerst

Living on the Edge: The New Real-Time Communications Security Risks

Real-time communications Security Risks As more and more people have been forced to work remotely due to the global public health crisis, collaboration platforms have ...
Martin Mendelsohn

Who Should Protect Our Data?

Who Should Protect Our Data in The Cloud? You would think that cloud service providers are safe havens for your personal data – they all ...
Jen Klostermann

Enterprises Starting To Embrace Blockchain-as-a-Service (BaaS)

Blockchain as a Service (BaaS) Many global companies have already implemented Blockchain-as-a-Service (BaaS) into their cloud offerings. There isn't any question that offering BaaS can ...