 |
| Image from Pixabay |
Despite
the fact that, all being well and regulations unchanged, I should be enjoying
my retirementa for already more than six months in ten years' time, I still
feel so young that I unemotionally archive mail from the pension fund. There is
a vague realization that I should be more interested in my financial future,
but at the same time there’s also resignation; On the one hand, based on the
general feeling that everything has been well arranged for me, and on the other
hand, because it is probably too late to take additional measures, should I
want to do so.
A
while ago I spoke with a colleague about the involvement of non-peers in the
subject of information security. Or rather: about the lack of involvement. He
made a striking comparison (thanks Hugo!): would you listen with interest to a
pension advisor, or would you rather think: here's my money, do the right
things with it?
Oh,
there you caught me. I've never talked to a pension advisor before. From the
age of 25, pension contributions are deducted from my salary and the
pension fund regularly lets me know how I am doing. If I retire at the normal
age, I will receive this amount of money every month, and if I die, my
surviving relatives will also receive something; that kind of information. I
take a quick glance at it and at most think: “Well well!” and proceed to the
order of the day. So I'm quite literally saying: here's my money, do the right
things with it.
Do
pension advisors ever complain that people show far too little interest in
their pensions? That it would be in their own interest to look into it and take
the right measures? And that few people have the sense to worry about this at a
young age? If I had to arrange a supplement to my pension now, it would
probably be unaffordable. However, if you start in your early years, you can
spread your investment over many years.
In
any case, information security professionals regularly complain that people
show too little interest in their security. They live in the vague hope that
everything will be more or less well arranged. The internet connection at home
costs money, so the provider must have supplied a secure modem, right? And that
WiFi connection of your dishwasher, dryer and air conditioning from a renowned
brand, isn’t that just fine? The apps on your phone and the websites you visit
all have a privacy policy, so you don't have to worry about that, do you? These
are all assumptions that appease our conscience, if we think of them at all.
Reality
is more stubborn. A device is relatively safe if it has had the latest update
in which the manufacturer has fixed the known errors. If you do not have that
update, your device carries vulnerabilities that can be exploited by attackers.
You can easily ensure that you always have the latest updates on your laptop
and phone by having everything happen automatically. Of course, if a program or
app asks you to do something to effect the update, you still have to actually
do it.
There
are also people at work who think that the people from the security team will
take care of things. That is true to a certain extent: we write down what you
should do and not do to keep things safe. We call that policies, standards,
regulations – whatever the name. After that, however, it is up to those who are
responsible for their part of the equation to also take responsibility for the
information security aspect (and privacy, and continuity). And so they have to
think at an early stage about what all these regulations mean for their field
of work and actually do something with them.
I
know, this is easier said than done. My devices at home also feel neglected. It
is quite a job to do something about it, which makes it easy to hide behind the
argument “not right now, it takes too much time”. But sometimes you just have
to make that time. You know what? I have next week off, but we're not going
away. I hereby promise our smart devices that I will check whether there is
anything to update (which remains to be seen) and if so, that I will do so.
It
would be so much easier if many more devices did an automatic update. Then you
don't have to figure out where to get your updates from and how to install them.
I think many non-ICT professionals shy away from the latter in particular. Hopefully
manufacturers will do more to help us with this. And the European Cyber Resilience
Act will force them into this. We want security by design: take all this
into account from the start and pay attention to it throughout the entire
lifespan of the product.
Still wanted: pension by design …
There
will be no fresh Security (b)log next week.
And in the big bad world...
- manufacturers can have their products cyber certified.
- manufacturers of security equipment also sometimes have difficulties updating.
- this long but fascinating story about how scammers framed the author is really worth reading.
- Americans paid a total of ten billion dollars to scammers last year.
- BMW does not understand the consequences of a data breach very well.
- it is not wise to use your private email for work.
- advertising without tracking is no longer possible.
- as a company, you are responsible for what your chatbot says.
- phishing can also take place as a two-stage rocket.
- naughty countries are no longer allowed to use ChatGPT.
- this battery factory is currently under stress.
- twenty percent of British children are cyber criminals.
- the European Court prohibits the weakening of end-to-end encryption.
.jpg)
No comments:
Post a Comment