Coffee Musings of a Cyber Security Expert

We've all had the experience; a coffee shop staffed by frightened employees ducking in fear each time the manager barks the next round of orders. It's unpleasant for customers, and usually the fearful staff end up making a sub-par coffee, but we tolerate it in order to get our caffeine fix.  What about that other coffee shop - the one with the friendly owner who welcomes everyone in and speaks kindly (but firmly, of course) to their team? The coffee always tastes good, doesn't it? And have you ever noticed after a few months or even years that the team hasn't changed much - it's mostly the same staff. Why? They feel secure in their workplace. They know they have a job to do and they do it efficiently, and usually they "go the extra mile" because they genuinely want to. They know the boss treats them kindly (but firmly - boundaries are important), so they WANT to perform better to please their boss.  Sure it doesn't always work, and occasionally a less-...

Imagine finishing a delicious cup of coffee and availing yourself of the facilities in your workplace, and on the door of said restroom you notice an educational message from your cyber security team: "what did you just dump?" For context, there is an accompanying photo of a waste paper basket showing discarded papers with credit card numbers, expiry dates and CVVs clearly visible. Simple message; think about what you throw in the trash and ensure you shred confidential and/or personally identifiable information, however it's delivered in a way that you'll probably never forget! This didn't actually happen. My mentor suggested it but management shut it down, thinking that it would not resonate with the conservative nature of the organisation we worked for. However I'm sure you get the point - and with a creative mind, you can come up with one or many ideas of your own to educate those in your workplace about cyber security risk management. Remember, you don...

"Another day, another breach." I grew tired of hearing that phrase around about 2019! Even back then I thought it's time everyone acknowledges that breaches are inevitable.  Many of us already have, and that's why the cyber security industry has a fantastic set of standards such as NIST CSF to draw upon for incident response and preparedness. However what I mean by "everyone" is just that - not just cyber sec pros. Business experts, CEOs, tradespeople, school teachers, the whole lot, all must acknowledge breaches are inevitable, and be prepared. I'm going to compare this to preparedness for other types of disaster, for the sake of the point I want to make. We accepted long ago that floods, fires and droughts were inevitable, so we have a strong culture of preparedness for these. I'm not going to delve into the truly devastating effects of natural disasters, other than to briefly point out that data breach incidents can result in similar...