Tech VocabularyMost security failures are organizational, not technical. The Equifax breach started with an unpatched server. The Target breach started with a stolen vendor credential.
Building a security-conscious culture
Security is everyone's job
Everyone is responsible for security, not just IT. How to shift the culture:
- Lead from the top: Executives must model secure behavior
- Make it easy: Security tools should be convenient, not obstacles
- No blame: Celebrate when someone reports a phishing attempt, even if they clicked
- Regular training: Short, engaging sessions beat annual compliance videos
Practical security habits
- Lock your screen: Every time you step away (Windows+L, Cmd+Control+Q)
- Use a password manager: Company-provided and required
- Enable 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. everywhere: Especially email and work accounts
- Verify unusual requests: "Can you buy gift cards?" Get a second channelWhat is channel?A typed conduit in Go used to pass values between goroutines - can be unbuffered (synchronous) or buffered (async queue). confirmation
- Report suspicious activity: Better a false alarm than a missed breach
Incident response: when things go wrong
Having a plan means the difference between controlled response and chaos.
The incident response lifecycle
Preparation: Document roles, establish communication channels, create contact lists (legal, PR, executives), and practice with tabletop exercises.
Detection: Monitoring systems alert on anomalies, someone reports suspicious activity, or a third party notifies you of exposed data.
Containment: Isolate affected systems, revoke compromised credentials, block malicious IPs, preserve evidence for forensics.
Eradication: Patch vulnerabilities, remove malware, reset passwords, close attack vectors.
Recovery: Restore from clean backups, verify systems are secure, monitor for reinfection.
Post-incident: Document what happened, analyze root cause, update security measures.
The golden hour
The first hour after discovering a breach is critical.
Do: Alert your incident response team, preserve evidence (don't delete logs), contain the damage, document everything.
Don't: Panic and shut down everything (you'll lose forensic evidence), try to fix it alone, communicate publicly without a plan, ignore breach notification laws.
Compliance: GDPRWhat is gdpr?A European regulation that gives users control over their personal data, including the right to access, delete, and export it., SOC 2, and what they mean
GDPR: privacy by design
GDPR applies if you have EU users. Key requirements:
- Data minimization: Only collect what you need
- Right to access/erasure: Users can request their data or its deletion
- Breach notification: Report breaches within 72 hours
- Privacy by design: Build privacy in from the start
Penalties: Up to 4% of global annual revenue or 20 million euros.
SOC 2: trust for enterprise customers
SOC 2 isn't legally required, but enterprise customers often demand it.
| Principle | Focus | Example controls |
|---|---|---|
| Security | Protection against unauthorized access | Firewalls, access controls, encryption |
| Availability | System uptime and reliability | Monitoring, backups, disaster recovery |
| Processing integrity | Accurate, timely processing | Data validation, error handling |
| Confidentiality | Protection of confidential data | Encryption, access restrictions |
| Privacy | Proper handling of personal data | Consent mechanisms, data retention policies |
Other frameworks
- PCI DSS: Required if you handle credit card data
- HIPAA: Required for healthcare data in the US
- ISO 27001: International information security standard
Security vs usability
Strong security creates friction. The challenge is balance.
Example: Requiring 20-character passwords changed every 30 days leads to sticky notes on monitors. Better: Long passphrases + 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you..
Design principles:
- Progressive security: Require more verification for sensitive actions
- Smart defaults: Secure by default, adjustable by users
- Friction in the right places: Make risky actions harder, routine actions easy
Remote work security
Remote work dissolved the traditional corporate network perimeter. Every home office is now an extension of your network.
For employees: Use a VPN for sensitive work, separate work and personal devices, secure your home WiFi (WPA3, strong password), lock devices when stepping away.
For companies: Provide security tools (VPN, password manager, 2FAWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. keys), deploy endpointWhat is endpoint?A specific URL path on a server that handles a particular type of request, like GET /api/users. detection and response (EDR), adopt zero-trust architecture (verify every request, trust nothing), enforce device management (MDM, remote wipe, automatic updates, full disk encryptionWhat is encryption?Scrambling data so only someone with the right key can read it, protecting information from being intercepted or stolen.).
Quick reference: security in practice
| Situation | Action |
|---|---|
| Suspected phishing | Don't click, report to IT |
| Lost work device | Report immediately for remote wipe |
| Using public WiFi | Use VPN, avoid sensitive work |
| Unusual access request | Verify through second channel |
| Potential breach | Alert incident response team, preserve evidence |
| Compliance audit | Document everything, be honest about gaps |