When it comes to cybersecurity, it is easy to descend into a climate of personal paranoia, cognizant of any potential privacy violations or breaches. In the modern landscape of technology, physical and digital threats are merging and people are increasingly more aware of the tenuous security bubble they live in.
For experts, practicing cybersecurity is part of their routine, whether it’s employing VPNs to use unsecured WiFi networks or using a password manager to ensure that no two sites have the same login credentials. Some experts even use burner devices when traveling, particularly to events like Black Hat or Defcon, where showoffs are looking to make examples of those lacking security.
At RSA 2017 in San Francisco, CIO Dive asked seven security experts about their personal cybersecurity habits.
Shawn Henry, president of CrowdStrike Services and CSO at CrowdStrike
“Turn off Bluetooth. Turn off WiFi … I am very aware also of the physical security side of it. So, people picking up your bag, people identifying the hotel room that you’re in and trying to get inside it. Think of the physical security side.
The merging of the physical and the digital world. It’s not just these remote access technology enabled attacks, there’s actually old world physical attacks that occur as well.”
Justin Fier, director of intelligence and analysis at Darktrace
“I learned in my days working as an intelligence contractor, you have to draw a fine line between being too paranoid and being able to function in day-to-day life. Just practicing good password hygiene is probably the number one thing I would recommend doing. And then just being on top of updating your software and hardware. That’s the least amount anybody could do.”
Terence Spies, CTO for Hewlett Packard Enterprise Security – Data Security
“I actually tend to do something that a lot of security people told people to not do for a long time, which is writing down passwords. For the longest time, the advice was, don’t write down passwords, memorize them. But for me and my family it’s just, you have a choice between either coming up with one default-ish kind of password that you end up spreading over the whole internet, or you come up with sort of reasonable passwords and mnemonic way of remembering them. The human brain is not built to remember random information.
I think that’s one big mistake, with respect to personal cybersecurity. ‘Don’t write down password.’ It’s like, why not? You write down passwords and you’re changing that attack, you’re enabling people to come up with much more variant, stronger passwords and they’re changing the attack from, ‘I can go grab that out of a database,’ to ‘I need to steal your wallet or break into your house.'”
Edna Conway, chief security officer, global value chain at Cisco
“I am a data driven, risk-based decision maker in all aspects of my life … but, for me I step back and think about what is the productivity gain that I’m going to get out of doing this vs. the risks that I’m accepting and I make a decision every day.
I’ll give you a glaring practical example. I will never have a refrigerator that pings my iPhone in the supermarket to let me know that I need eggs. Because I probably can live without the eggs for an extra 24 hours compared to the risk of having the refrigerator that might actually interject a known vulnerability into the home network, which it probably wouldn’t because of the way it’s protected and segregated, but nonetheless, it’s a risk-based approach to life.”
Justin Somaini, Chief security officer at SAP
“I travel a lot so I have a tendency to shut off all the devices when I leave. I have remote capabilities to shut it down remotely and monitor from my webcam to my network traffic. [For] email, maybe it’s not a security issue, maybe it’s just laziness, but I have a tendency to quickly skim and not load up all the images or click on links because there’s just a lot of spam, a lot of crud that we get so I kind of flush it out.
But I’m a minimalist to a fair extent. I love trying and playing with new things, but I’m very quick to jettison and shove it off, so I don’t have like I (once had) tons of computers at home and huge networks.”
Tom Corn, SVP of security products at VMware
“The single best thing you can do is actually balance your checkbook. It’s not about finding the way that you’re going to prevent a sophisticated attacker from compromising your system or breaking into your bank account. It’s your ability to spot it quickly.
This whole debate about prevention vs. detection and response. There’s lots of people that say, ‘well why would you ever spend time on detection and response? Why wouldn’t you just prevent?’ We would if we could.
In a world where everything is so electronic, I think people have stopped monitoring and understand what they’re trying to protect. If you did, you’d be able to spot it quickly and you wouldn’t be liable.”
Rishi Bhargava, co-founder and VP of marketing for Demisto
“For security, there’s a lot of other things I do. Strong passwords. I have no two websites — no two websites literally, even it is a random website — with the same password.
So I literally probably have 500 website accounts because I am also a person who tries everything. New service comes up, I have to try it. But that password? I don’t know it.
I cannot tell you what’s the password for my email to the password of my bank, I just don’t know the password. It’s in the password [manager].”