I always disliked the phrase “cyber hygiene” it makes me revert to the mandatory and awkward health ed classes in junior high. It also reminds me of one of my favorite quotes “Passwords are like underwear: make them personal, make them exotic, and change them on a regular basis.”  Unlike “cyber hygiene” this quote is amusing, slightly edgy, yet simple and disarming. The quote addresses personal choice and responsibility, and yet quickly assumes that this responsibility is as natural to one individual as it is to the next. As we have seen in previous weeks the assumption that someone else has taken on the responsibility of cybersecurity is a common barrier to creating a cyber-culture.

How do we get to a cultural norm with cybersecurity with so many complex technical issues expanding the threat landscape in cybersecurity?

Billions. That is how we quantify the number of IoT devices in the world. Even non-technical people must have respect for the sheer volume as a factor in its impact on the cybersecurity threats. The first step is to shift our focus from the device to the connections. IoT is a system of systems. As consumers, we focus on the device and the dashboard or display of results that we glean from the device. As a cybersecure culture, we need to become educated on the entire ecosystem of IoT that exists between the device and the final display.

This does not require extensive education on details of the sources that power our devices, the telecommunications which transmit the data, the edge computing that filters out initial layers of data, the cloud computing which does the heavy lifting or all the individual systems supporting each of these stacks. What we do need is awareness of these intricacies. Consumers need to be aware that the data that is collected from the safety device we purchase or that a hospital uses, has the capacity to be breached. Procurement team members need to understand why facilities is spending more to purchase a device coming from California where devices require embedded security versus a less costly version from elsewhere. Awareness won’t secure the entirety of IoT, but it can lead to better decisions on how we secure each of the systems form consumers to industry.

Machine learning. The data collected from the billions of devices exceeds the capacity of humans to extract all the benefits from it. Humans do have the capacity to build and train models so that machines can process the exponential amounts of data to learn faster and more precisely. However, we need to educate individuals on the responsibilities and best practices when leveraging the results of machine learning and AI practices so that positive intentions do not have a negative impact. Understanding the basic concepts of AI and ML can drive human decision making on how and when to use it as a tool responsibly and how to validate the skills of the individuals initiating and ultimately maintaining these models.

Unlike clean underwear, we are not yet in a culture where we have grandmothers who have raised us to have good cyber habits.  “Put on clean cybersecurity practices, you never know when you are going to encounter a breach!” Perhaps the cyber practices we teach the toddlers of today will integrate cybersecurity as a cultural norm in 20-30 years. Until then we need to be the stewards of good cybersecurity habits. Good habits start with education. Courses such as CertNexus’ CyberSAFE, IoTBIZ, and AIBIZ, break down the complexities of technology that begins this process.

CyberSec First Responder Readiness Assessment