Habit Forming

How long will it take to get into a habit of using basic cyber hygiene techniques?

When you come out of a training course, be that one on cyber security from the NCSC, or one that will assist with your continued professional development you always make a little deal with yourself that without fail you will put in practise, starting the very next day, what you have learned. But in reality, how often does that happen?

If we are honest with one another despite our initial enthusiasm, when retuning back into the normal workplace our new-found skills swiftly wane and are placed in a mental folder labelled, ‘to do when have a bit of free time’. Sound familiar? So how can this be resolved?

It all comes down to habit, those crazy little ceremonies that we mentally and physically play out as we go about our business. They are hard wired into us it seems and almost impossible to change. We know we shouldn’t eat too many burgers, but people still do – it’s a habit. Now if these habits are related to a technology issue, such as your passwords, and now you are expected to change that habit with something as potentially daunting as dual factor authentication. Then it probably doubles in difficulty.

Back in the 1960s a pop psychology book, titled ‘Psycho-Cybernatics’ concluded that it would take a minimum of 21 days for an old habit to be dissolved and a new one to be embedded. So that’s three weeks from walking out of the training room, to feeling that what you had learned, assuming you put it into practise the very next day, is now habitual.

However, this has been contradicted in a study by The European Journal of Social Psychology who stated that it took on average 66 days to form a habit. Hmm, that’s now about 9 weeks from walking out of the training room.

And just to pull it out even further, the basic training in the US Military is 90 days, as they have found that is the optimum length of time needed for recruits to go through all the stages of emotional upheaval as old habits are broken down and new ones formed.

From this then we can conclude that to form a new habit we are looking down the barrier of between three weeks and three months. Does that sound a long time to you? It’s not really. It’s from today until the end of September. Just imagine if you implemented some basic cyber hygiene today, you’d be not only protected but comfortable with the new processes and changes to your use of IT whilst there are still leaves on the trees.

Three areas to consider would be :-

  • Dual Factor Authentication : with the pre requisite of changing all your existing passwords as you go to ‘strong passwords’ and no longer using the same password for multiple devices, services or websites.
  • Implementing Anti-Virus / Anti-Malware and keeping it updated
  • Patch Management : Keeping all your software, both desktop, mobile, applications and if you have them, your servers, up to date with all the latest fixes and updates.

Although that’s certainly not a definitive list, it will certainly take those with little or no protection to a basic level, and for the eagle eyed amongst you may have noticed that the latter two can be automated. Both anti-virus / anti-malware solutions and software patches can be set to automatically update. The only habit needed here is they may ask for your permission to install them. Set that up and then (almost) forget about it.

The challenging one for most will be the dual factor authentication set up, but trust me when I say that it is relatively straight forward. All of the major software companies support it and it may just require a bit of Googling or reading of help files on exactly how to do it. The ‘pain’ point will come when each time you log in, you have to find your phone, open up the Authenticator app, see the time expiring code and type it in before it becomes obsolete.

You will curse it, you will dislike it, you will want to go back to how things used to be, but according to the handful of books and websites that I’ve scanned about killing off old habits and forming new ones, that’s exactly how you should feel. So, you can take some semblance of comfort in your discomfort as you become more secure.

And now for the good news, yes, there is good news. It’s widely believed that once you have successfully broken an old habit and implemented a new one it’s unlikely that you will slip back. I can speak from experience on this matter as when I implemented dual factor authentication, even though I’m a technologist at heart and wish to be as secure as I can be. I would curse the codes, the time limits and what I saw as additional hoops to jump through just to get on to Amazon, Evernote or DropBox, but now many months on it’s just become normal.

In fact, when I see a friend or colleague log on without using it I’m somewhat taken a back and the thought of going back to a more insecure world fills me with dread. I can safely conclude that I have successful formed this new habit of basic cyber hygiene.

Now I don’t say this to appear holier than thou or anything, just to say that it can be done, but it’s going to take up to three months to be a new habit. All I wish is that I had been told that as I exited the training room when I first learned about some basic lessons in cyber security.

Share: Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone