Coffee Musings of a Cyber Security Expert

We've all had the experience; a coffee shop staffed by frightened employees ducking in fear each time the manager barks the next round of orders. It's unpleasant for customers, and usually the fearful staff end up making a sub-par coffee, but we tolerate it in order to get our caffeine fix.  What about that other coffee shop - the one with the friendly owner who welcomes everyone in and speaks kindly (but firmly, of course) to their team? The coffee always tastes good, doesn't it? And have you ever noticed after a few months or even years that the team hasn't changed much - it's mostly the same staff. Why? They feel secure in their workplace. They know they have a job to do and they do it efficiently, and usually they "go the extra mile" because they genuinely want to. They know the boss treats them kindly (but firmly - boundaries are important), so they WANT to perform better to please their boss.  Sure it doesn't always work, and occasionally a less-...

Imagine finishing a delicious cup of coffee and availing yourself of the facilities in your workplace, and on the door of said restroom you notice an educational message from your cyber security team: "what did you just dump?" For context, there is an accompanying photo of a waste paper basket showing discarded papers with credit card numbers, expiry dates and CVVs clearly visible. Simple message; think about what you throw in the trash and ensure you shred confidential and/or personally identifiable information, however it's delivered in a way that you'll probably never forget! This didn't actually happen. My mentor suggested it but management shut it down, thinking that it would not resonate with the conservative nature of the organisation we worked for. However I'm sure you get the point - and with a creative mind, you can come up with one or many ideas of your own to educate those in your workplace about cyber security risk management. Remember, you don...

"Another day, another breach." I grew tired of hearing that phrase around about 2019! Even back then I thought it's time everyone acknowledges that breaches are inevitable.  Many of us already have, and that's why the cyber security industry has a fantastic set of standards such as NIST CSF to draw upon for incident response and preparedness. However what I mean by "everyone" is just that - not just cyber sec pros. Business experts, CEOs, tradespeople, school teachers, the whole lot, all must acknowledge breaches are inevitable, and be prepared. I'm going to compare this to preparedness for other types of disaster, for the sake of the point I want to make. We accepted long ago that floods, fires and droughts were inevitable, so we have a strong culture of preparedness for these. I'm not going to delve into the truly devastating effects of natural disasters, other than to briefly point out that data breach incidents can result in similar...

Has anyone ever completely nerded out over numbers, patterns and maths? I saw this article on ABC News about commonly used PINs, and I clicked into it not expecting to be quite this interested. The authors have taken the four digit PINs from Troy's Have I Been Pwned site (using the API) and split them into the first two digits and the last two, so that the data could be plotted on an X-Y graph. The result is a graph which shows visually the most common combinations of digits. It's a brilliant idea, because it makes the task of identifying patterns very simple, using visual means. Unsurprisingly, PINs like 0000, 1111, 1234, 1212 etc are the most common. The repeated digit combinations nicely show up as a straight diagonal line. There's also a strong representation for PINs beginning with 19 and 20, because these form the first two digits of the birth years of everyone alive today. The visual representation also shows some popular PINs that I didn't expect to be common, ...

Everyone is talking about AI. Everyone from politicians to the crowd at my coffee shop, and everyone has either a fear of it, or an enthusiastic story about how it's transformed their lives.  A teacher writing up a behaviour incident report threw a bunch of bullet points containing the raw data at ChatGPT, and it responded with a business-like email, formatted and ready to send (after adding the sensitive info like names etc manually). A small business owner chucked a few words at CoPilot and it formatted that into a well written social media post, ready to go. The fears that people speak of are either job redundancy or "will humans never think for themselves again". I see the emergence of these tools as just that: tools to get a job done. Just like the invention of "wireless" (radio comms), the telephone, the transistor, computers etc, a set of new pathways are created. What are we doing to facilitate the creation of those pathways? The teachers I know ha...

Everyone loves a good story. And every time a cyber security breach occurs, the pros spring into action, attempt to recover what was stolen, and deal with the aftermath. Perhaps one day I'll blog about a few of those incidents, because there's some fascinating stories to be told! For now over this cup of coffee, a thought occurred to me: Troy Hunt's blog on info stealer malware logs is readable on multiple levels. I hadn't considered this earlier, but the information he often writes about can be used by individuals who are tech-curious, right through to professionals in cyber, IDAM, etc. For example, how many times have you explained the perils of malware on the interwebs to non-tech friends and family and wished for written resources and advice to point them at? Amanda-Jane Turner also has a fantastic set of resources for that . Troy's opening paragraph in that blog is ideal for this purpose. He states quite clearly a few simple actions which could lead to passwor...

Small business cyber security risks, part 4: In the last few blogs we focused on advice for small businesses, although really this has been relevant for all of us whether we’re talking about personal, small or large business information security. Reaching for the ideal situation is certainly important and, in many cases, particularly for larger businesses, it’s the law . However last week in my imagination I heard the quiet voice of a small business owner saying, “but what if I’m struggling just to stay financially afloat and keep customers happy, I know cyber security is important, but I just don’t have time unless someone tells me exactly what to do!”  Perhaps that thought came to me because I was looking on with admiration at our local cafe, amazed at the hard-working team, always with smiles on their faces and a kind word for everyone. Whilst they're not struggling financially, I know how busy they always are, and I wondered how they manage information security risk. In a rare ...