I recently heard composer Alan Williams state that we live in “operatic times” and the phrase struck a chord with me. The words have such resonance for the security industry and never more so than in this year of 2017. There have been so many, huge stories, breaches and dramas, with ever more theatrical and far-reaching events occurring on a daily basis.
From WannaCry to Bad Rabbit, from Uber to MPs and their passwords, from alleged state sponsored attacks and epic data breaches affecting tens of millions of people, never has there been a more challenging, and exciting time to be in the security industry.
Like a lot of people involved in security, 2017 has been the busiest year I have ever known, and yet when it came to writing this article it wasn’t these big stories that I found I wanted to write about. I wanted to reflect on the smaller things that I have noticed shifting this year. I do think things are slowly changing, at least from the human perspective, and it is whilst performing physical penetration tests, up close to the “people” that I have found this to be most evident.
More than ever before I have recently found that many clients have improved security systems, and more importantly behaviors. Undeniably a sign of the times, physical security systems, perimeters and detection are broadly getting better.
Never infallible, as ‘the humans’ are involved, but slowly and surely I am seeing more interference, more suspicion and overall more secure behavior amongst non-security staff when faced with social engineering attacks.
The receptionist trained to watch out for bogus visitors, the marketing guy who stopped and asked me what I was up to lurking next to the secure door. The post-it under the keyboard upon which was written “DO NOT WRITE YOUR PASSWORD DOWN!” Small things, but exponential, and occurring in organizations where security was previously lax or non-existent, and where security teams are not especially well respected or resourced.
The reality is that whilst it is necessary to discuss and address the huge challenges and global events that affect the industry, as security professionals we often fight smaller, daily battles too. The security industry is first and foremost in the business of protecting people, and that is often most effective at a local, personal level, helping them to understand how to protect themselves.
Small changes in behavior might seem insignificant when faced with the cataclysmic consequences of a massive ransom-ware attack, or a leak on the scale of the Equifax breach, but they really matter. They matter because they demonstrate that someone, somewhere got the message across. They matter because a small change can count within an organization. They matter because that receptionist, that marketing guy and that post-it note writer all “get it.” Not perfectly and not all the time, but a bit more than before, and that counts.
So for me 2017 was really about optimism. A nagging feeling that despite the continuous onslaught of evolving attacks, from the human side anyway, people are starting to take notice and wake up to the threats.
I go into 2018 really hoping that whilst the industry continues to be fueled by the drama, motivated by the challenges, it is the smaller human stories at the heart of it all, that will continue to inspire us to rise to the encroaching drama of Act II ahead. So whilst the heroes and villains of 2018 line up for their big scenes, let’s stay focused on the small stuff, because it does matter, and in a thousand little ways, it is working.