IT Security Advice and Why You Should Ignore (Most of) It

One the most important jobs for IT is to protect the company from crime, loss of productivity, theft of data, privacy violations and other illegal and offensive and annoying nonsense.

IT has to follow certain legal guidelines, and quite often moans at you to do the following, but should you??

1. Change your password regularly
2. When you see a Certificate Error in a website, don't use the site
3. Use complex passwords
4. Never use the same password for different things

90% of people don't follow any of that advice, the great thing is, that they are right not to bother.

These are all just dogmas. In almost all cases you can simply ignore the advice above. Why?

1. If a hacker gets your password, he or she does it via the use of a program that grabs it. Almost immediately and certainly within a couple of days, your password will have been used to access your account for whatever reasons they wish. You can't change your passwords every 2 days can you? So why bother changing them every month or every 2 months. Changing your password often does not protect you against today's threats.

2. If you have used the internet for more than 24 hours, chances are you have seen this message

(Internet Explorer)



You (along with most other people) probably just click "Continue" "Proceed anyway" or "I understand the risks" 

The trouble is that 99% of people don't care or understand the risks, they just want do whatever they were trying to do, and a red warning isn't going to get in the way.

Great news though, you probably are safe anyway. Spammers and Phishing scams inside SPAM don't try to use encrypted websites anyway, because this warning would always pop-up. 

In 99% of cases the warning is due to a forgetful website administrator who forgot to pay the renewal invoice on his or her website, and is trying to find their credit card while you are browsing!!

3. This one is a classic. If your passwords are too complex, then you will probably write them down and stick it on your monitor, which is probably not that great. If you don't write them down then you probably use a system of names of children, pets, birthdays, and perhaps mix with a few numbers, also easy to guess.

Instead, just use a pass phrase, like "I live in London!" or "My son's name is Chris" or "I hate passwords!" A passphrase is easier to remember and is harder for a hacker to guess.

4. If you can remember 100 different passwords then you are a better person than me, probably are any way.
Instead of trying to remember 100 unique passwords, one per site, why not use a program to manage your passwords, and have just one password to get into that program.
Also IT has a project to remove all passwords and replace them with a small usb key device that you will have to carry around with you, it will have all your passwords on it, and you will only have to remember one passphrase.

So then, what should you do??

1. Never click on links in SPAM, if you do, you get what you deserve
2. Don't use Internet Explorer
3. Don't use Adobe Products, like Acrobat Reader
4. Don't browse to dodgy sites on purpose
5. Use some form of free Antivirus which scans your web sites as well
6. Use a free Firewall
7. Ask your IT people, "what is the likelihood of that happening" - don't just believe them.