Good things for 24
Work we should focus on in 2024 ( aka your phishing sims won’t save us)
Here is some of the good work and ideas that I hope we will listen to more in the coming year:
Heidi Trost is a UX specialist who has excellent insight into how cybersecurity can improve for everyone who uses tech products. She hosts a great podcast and this episode on building security into UX is one of my favourites. As ever, this is simple and practical advice, from people with expertise and experience
I believe that the future will hold more successful collaborations like the work between UX and Security that is described in the podcast. Our work has to meet people where they are. It also must acknowledge and collaborate with other teams beyond just getting them to do an escape room or mandatory training. The work done at IBM is an example of really good cross team iterative work that centres those who will use a process and their needs.
I often sit with teams who have never used the product they sell, or never sat with people trying to work through a process. MFA is a great example of this. It is easy to say just use MFA, but if you sit and watch different demographics attempting the process, you realise the issues that they encounter.
I am also delighted to see this Edtech Secure By Design Pledge, in partnership with CISA.Edtech needs better standards and accountability and this is a great initiative. I would like to see more schools helped with edtech choices. However,it would be even better if they were choosing from vendors that they knew adhered to standards.Cybersecurity in educational settings is a nightmare situation, and I wish that were an exaggeration. Huge amounts of student data is shared without informed consent. Then we have the issue of IT systems that rarely have adequate security.The advice given,even by CISA or NCSC assumes budget, time and even desire to do things the right way.When I worked as a school DPO, I was told to F off by some staff most weeks, because privacy and security got in the way of their work. This is also a larger issue relating to schools being rewarded for tech “innovation”, but not privacy or security. The AI and LLM gold rush is exemplar of this issue. Schools are encouraged to show innovation, but we don’t hear much about the ethics or safeguards around it all.
Mis and disinformation are huge issues in 2024. The risks to the many elections around the world loom large. We cannot pretend that it might not happen, as we have seen it play out before. As security professionals, I hope we can do more work on helping people to identify good sources of information.There are links on this Harvard page that you could use in any work that you do. I also made a quick start resource for the top four links that I use.
I think cybersecurity professionals should be examples of fact checking and reflection. That is sadly not the case most of the time. We do have to lead by example, and I see too many people sucked into reposting hate farming content. Or spreading misinformation.For example, it is better to not engage with hate or people looking for attention via awful social or media posts. It is always better to screenshot rather than quote post or share. This avoids giving them attention and or financial support- as clicks and shares mean advertiser revenue.
Staff Socials
If your company uses staff in any way to promote itself, you should be offering them adequate training and protection. There is a growing trend for in house “influencers”, and this can put the individuals at risk for abuse, or even use of their voice and face for scams. Plan for this and if you cannot balance the risk, maybe work on getting the company to reconsider doing it. The same applies to people who have to share company social posts or updates. Comms teams are trained in how to handle themselves online. But other staff will not know how. I’d add that there should be careful attention paid to how customer service teams reply to cybersecurity questions. Check what your CX team handbooks say, and if it all needs updating.
Podcasts
The Sunday Show discusses the garbage in, garbage out issue in LLM.I wish we were more discerning in our discussions around AI, this show makes all the important points.
I love Tech Won’t Save Us, this episode is about how tech can make us more insecure.
On Attachment has a great episode about trust, risk and vulnerability- but in the human sense. Worth a listen.
Lastly, 404 media is well worth a subscription and their podcast is excellent.
Have a great start to 2024, it is an 8 year, so should be a lucky year. I certainly hope so.
M