Editor's note: This article is part of Behind the Firewall, a recurring column for cybersecurity executives to digest, discuss and debate. Next up: How did you get started in security? Email us here.
When 5 o'clock hits, many professionals log off to spend their evenings focused on anything but work. Personal and professional worlds are siloed from one another, with nary a care for the office until the next morning.
But working in cybersecurity, even after clocking out, it is difficult to shake the threats in cyberspace. For some cybersecurity leaders, the security itch follows them into their personal lives, informing which tech gadgets come into the home or what Wi-Fi networks are safe to join.
It makes sense — high-profile consumer data breaches and phishing attacks on personal email accounts happen regularly. Add in a year of remote work, school and socializing, bringing cyber hygiene into personal lives has become more standard.
For a glimpse into how security professionals translate their expertise outside of work, Cybersecurity Dive asked security leaders which cybersecurity practices are prominent in their personal lives.
(The comments below have been lightly edited for length and clarity.)
George Gerchow, chief security officer at Sumo Logic
"My beautiful 81-year-old mother ... is really savvy in tech and leverages multiple devices in her daily routine. However, she's unfortunately been known to fall for phishing attacks and social engineering tactics."
George Gerchow
Chief security officer at Sumo Logic
Education and training are two key elements of cybersecurity best practices that have been prominent in my personal life.
My beautiful 81-year-old mother, she is really savvy in tech and leverages multiple devices in her daily routine. However, she's unfortunately been known to fall for phishing attacks and social engineering tactics. About five years ago she got a fake email from Apple support letting her know that the devices she had been using had over 100 viruses and malware.
With her password and a nominal fee of $500.00, this "service" said they could clean it up and prevent it from happening again. Needless to say, that was a big lesson for all of us and it really opened my eyes to how little I shared about my job with my parents.
Given my close relationship with my mother, she and I chat every week and we discuss the following:
-
Do not open any links from unknown sources.
-
Do not engage in phone conversations with anyone trying to sell you anything.
-
Passwords should be changed at least every 90 days and should never be shared with anyone. Most importantly, passwords should never be re-used.
-
Lastly, try to stick with phrases that contain mixed characters and numbers and if possible, use a password vault.
Another area of focus is two-factor authentication (2FA). I got this concept embedded into my kids' authentication processes years ago. My favorite time educating was with my son who has an account on every gaming platform imaginable, Steam, Twitch, XBOX, the list goes on and on.
We have it all set up to where he gets challenged every 30 days to reauthenticate into those platforms and the 2FA push comes to my email. The same goes for any in-game purchases or upgrades. It gives him a layer of protection that we discuss all the time, which encourages him to call me so I can give him the code while giving me the visibility I need to ensure he is doing the right things.
Bruce Potter, CISO at Expel.io
"We have a very strict 'no-voice control' code in our house for any device that is powered by Alexa, Siri, Cortana or similar tech."
Bruce Potter
CISO at Expel.io
I think I might be a little different when it comes to the security practices that are important in my personal life.
For starters, I do two-factor authentication on everything I touch and use, which I guess shouldn't be surprising.
I run my own mail server and recommend others do the same when possible.
A VLAN protects me from IoT devices that tend to be sketchy, particularly from a privacy perspective. Many consumer wireless products allow you to do this today via "guest networks" and similar configurations.
Never use voice-controlled devices! We have a very strict 'no-voice control' code in our house for any device that is powered by Alexa, Siri, Cortana or similar tech.
Never configure smart devices like TVs, refrigerators, etc. These embedded systems often lack the necessary security and privacy controls and rarely get updates over their lifetime.
Fleming Shi, CTO at Barracuda Networks
"I try to establish a clear divide between work and home so one doesn't interfere with the other."
Fleming Shi
CTO at Barracuda Networks
Like work-related online access, I've stopped relying on passwords for authentication. As a result, I've adopted multifactor authentication (MFA) for all of my personal accounts. In my personal life, I always make sure I'm practicing vigilance when using my own email accounts and never click on links until I am 100% confident they are safe.
To me, this includes researching site reputation and verifying site certificates. In addition, I'm always trying to make sure that I stay current with security patches for my operating systems and always backup important files.
Lastly, I also practice "social-distancing" between work and personal computing activities. More specifically, I try to establish a clear divide between work and home so one doesn't interfere with the other. We all know that we can make the most costly security errors when we're not paying attention so I always try to be mindful of that.
Brandon Hoffman, CISO at Intel 471
"By and large, I think having security permeate my life has allowed me to understand effort versus outcome in a very meaningful way."
Brandon Hoffman
CISO at Intel 471
As a lifelong (adult life) security practitioner, it's hard to say how much security permeates my personal life versus work life. I think it is fair to say that the longer you spend in this industry, the more paranoid you become, yet also we all become a bit jaded as well.
A favorite, and common, occurrence is directly related to credit card and identity fraud. As you become more exposed to the cybercriminal trade and what the prices are of goods and services on the dark marketplaces, it makes you realize two things.
The first is that it's only a matter of time before your credit cards and possibly your identity will be for sale. The second is that they will both be staggeringly cheaper than you thought (or, oddly, than you hope they would be). The result of this experience has two diametrically opposed outcomes. One is that you become super paranoid about all your data, or you become exceedingly complacent about it and rarely bother to even protect it anymore.
While many of us fall on the complacent/jaded spectrum, the security practitioner in us lives on in frequent scenarios. Anything, and I mean really anything, goes odd with my phone or laptop, and I immediately go into super paranoid responder mode. I start digging into logs, downloading utils and running security processes. This can consume anywhere from an hour or two, or possibly carry me on through dawn. There are just some habits that truly die hard.
The practitioner in me (and many of us) rears its head too during casual conversations with friends. Topics like investing in crypto and being subsequently horrified that anybody would consider using a hosted wallet on an exchange. Or better yet, discussions with other friends who work in non-security related technology that start to talk about security and the "dark web" and our continuous yet unsuccessful attempts to clarify the situation.
By and large, I think having security permeate my life has allowed me to understand effort vs. outcome in a very meaningful way. Certain parts of my life that touch security and that I can have a direct effect upon, I will put in effort. The areas where I know beyond a shadow of a doubt that really, I have little to no control, I have let go worrying about. If I can't change/fix it, why stress about it?
I don't think this parallels work life in a meaningful way. From a work perspective, there are more people to help and more resources to utilize. Ultimately, you know at work that the fight is never over and more effort can always produce a positive outcome.
J.C. Vega, CISO at Devo Technology
"I wish I could place a N95 equivalent mask on my Wi-Fi connections."
J.C. Vega
CISO at Devo Technology
There are several practices that I bring home that my family tolerates:
- Zero trust — I do not allow visitors or friends of my children to log into my primary network and I do not connect to public Wi-Fi. I have no idea what someone is bringing into my home network, and in turn, can be used to infect and pivot to my managed enterprise. The same goes with public Wi-Fi, I bring my own hotspot. I wish I could place a N95 equivalent mask on my Wi-Fi connections.
- The mind of a hacker — I'm always looking at my environment through the lens of an adversary to see how they can gain a competitive advantage from my situation. I turn off "extra" services and features. Not everything needs to be connected.
- Secure the ecosystem — I share best practices with my neighbors so the community can be safer. If I see a Wi-Fi signal that is configured with default settings, I show them how to update their system. This is especially true of less tech-savvy individuals and the digital natives as well, who understand technology but don't necessarily apply security.
Brian Johnson, chief security officer at Armorblox
"I have found discussing what's going on in the news — such as the Colonial Pipeline ransomware attack — a useful primer to discuss the impact of cybersecurity and why and how to be prepared."
Brian Johnson
Chief security officer at Armorblox
It's not always good to bring work home, but being in the information security business has some positive impacts at home. I have been able to set up a safe home environment, guide my family on internet best practices and use security news to discuss the impact that my chosen field has on the world.
Phishing and email impersonation attacks are not just an enterprise business issue. We have all seen these attacks arrive in our personal inbox. My experiences in dealing with these threats have been a great teaching guide to share with my family.
URL blocking is a technology that has followed me home. URL blocking has a great impact on gatekeeping known malicious sites, adware and unwanted content. This was achieved with basic anti-virus, trusted DNS providers and network controls. I will admit that this is a little advanced for the basic home internet setup, but it was not very difficult and security vendors have made setting this up accessible for home environments as well.
Discussing Trust and Safety at home is a balance. As an information security professional, it's easy to see all that's wrong with the internet and miss the basic good. I have found discussing what's going on in the news — such as the Colonial Pipeline ransomware attack — a useful primer to discuss the impact of cybersecurity and why and how to be prepared. Events like these are tangible teaching aids to help families understand how the technical world impacts the lives of millions of people.
Lucia Milica, global resident CISO at Proofpoint
"Passwords are critical barriers between a consumer and a threat actor. And it's vital to avoid using the same ID/email address and password login across multiple online services."
Lucia Milica
Global resident CISO at Proofpoint
It may seem so simple, but the best cybersecurity practice I take home is fully protecting my login credentials with a password manager.
Passwords are critical barriers between a consumer and a threat actor. And it's vital to avoid using the same ID/email address and password login across multiple online services. But we all have so many accounts in so many places, it's nearly impossible to keep track of all the different passwords floating around in our heads.
That's where a password manager comes in. Using a password manager reduces the burden of trying to remember complicated login credentials across multiple websites. It's important to remember to change all passwords twice a year, and business passwords every three months. All the more reason for a helpful tool to stay on top of things.
But a password manager alone may not fully protect you. I also use multifactor authentication (MFA) for as many accounts as possible. This approach frustrates the automated systems threat actors use to guess passwords or when plugging in stolen passwords.
Tom Garrubba, VP and CISO at Shared Assessments
"As you have multiple people and devices connected to your own home network, you reduce the threat of internal detection and hijacking by threat actors who breached your in-home network by using a VPN."
Tom Garrubba
VP and CISO at Shared Assessments
Using a VPN while even in your own home is a great way to ensure your connectivity is protected within your home network. As you have multiple people and devices connected to your home network, you reduce the threat of internal detection and hijacking by threat actors who breached your in-home network by using a VPN.
VPNs are just one important protection. Another is ensuring you offer visitors guest Wi-Fi privileges, not full privileges, to prevent corruption of your network and devices. You never know where a visitor may have browsed, or what problems their devices may have picked up along the way — either firsthand or from those who cohabit their home networks.
Stel Valavanis, founder and CEO at onShore Security
"I prefer to build my own firewall because the low-end home firewalls are feature-poor for things like firewall rules, VLANs, DNS-sinkholing and VPN access."
Stel Valavanis
CEO at onShore Security
You can't really compare what anyone does at home for cybersecurity versus what a CEO does, let alone a Cybersecurity CEO. For one, I'm a target. Everyone is targeted by bots but I might be used to get to multiple client targets so I have an additional burden.
All company assets are categorized by risk level and impact and so I have to follow policies for those even when at home. This means access is only allowed via VPN with multifactor authentication, password expiration, corporate password manager, workstation hygiene policies, awareness training and testing, etc.
I prefer to build my own firewall because the low-end home firewalls are feature-poor for things like firewall rules, VLANs, DNS-sinkholing and VPN access. Of course, the management interface is not exposed to the internet except via VPN. I do use a DNS service with family content filtering, but no personal VPN service. To me that's more of a privacy concern rather than security and not much at that.
My kids' devices are all on family accounts and I use a separate password manager with MFA for myself (and for them) than my corporate one. A separate guest Wi-Fi runs to it's own VLAN with IoT devices on it so compromised devices can't snoop on my network.
I do run my own home automation server but some of the devices I use insist on phoning home anyway so they're exposed. I do aim to fix that with some replacement firmware. My home "land line" is a VoIP phone going to a server with geo-blocking so that can't be a point of attack easily either. I keep separate admin accounts on the kids' computers so they can't do too much damage.