There have always been people in the anti-malware industry who don’t automatically put PR and commercial advantage ahead of public interest, and give credit where it’s due. Fortunately, quite a few of them work for ESET. :) We try to be scrupulous about correctly attributing research from other companies, share samples and security information with them, and sometimes collaborate on research, conference papers and presentations, and even share blogs from time to time, though that's fairly unusual. Here, for example, is a blog from 2010 co-authored by myself and Magnus Kalkuhl -at that time working at Kaspersky - clarifying our essential agreement on an issue raised by the media.
But not completely unknown. Recently, I was rather pleased to be invited to contribute to a blog article by Aurelian Neagu for Heimdal Security, who asked a number of security researchers to answer the question Can you name 3 security tips any user needs to follow to stay safe online? S
It turns out that 19 people contributed more than 50 tips to the article 50+ Internet Security Tips & Tricks from Top Experts. Some of the contributions come from inside Heimdal and CSIS (the well-regarded security company that originally launched Heimdal), but many come from other security companies and some journalists specializing in security topics. Among those contributors were such luminaries as Microsoft’s Troy Hunt, F-Secure’s Mikko Hypponen, CSIS’s Peter Kruse, journalists Simon Edwards (Dennis Publishing and AMTSO), Neil Rubenking (PC Magazine) and Kelly Jackson Higgins (Dark Reading) and many more. And some bloke called Harley. :) I plan to revisit and expand upon the points I made at some point in the future, but I certainly wouldn't want to stop you taking advantage of the other tips included.
Inevitably, given that the starting point of the blog was that “…we don’t want to intervene or alter the answers received,” some points are made by more than one person, but there’s certainly a wide enough spread of specialty and expertise here to make it worth considering checking out the article, since two people may address the same core issue - passwords, for instance - but make quite different (yet complementary) points.
The article is even downloadable as an eBook. It doesn't constitute a 'how to' in the sense of an article on how to address a single security issue, but it certainly provides information on a number of ways in which you might make you online experience generally safer.
Here are some relevant points from a conference paper on user education that ESET's Sebastián Bortnik and I presented at AVAR in 2014:
It is not possible to teach the entire world about new threats and remedial practices on a day-to-day basis, and at the same fast rate at which new technologies are adopted. On the other hand, most of the people who have ever received awareness-raising advice are likely to change something in the short term, so it is probably a matter of how frequently they receive the message in order to reinforce the lesson and sustain change. (Bearing in mind that an overfamiliar message may actually dull the recipient’s receptivity.) Finally, holistic integration with other approaches to security awareness and enhancement is still needed: the information security community cannot do it by themselves, and improved cooperation and information exchange with other key actors should be encouraged.
We believe that these approaches (and some patience) will bring us to a not-so-distant future where information security is not only something that really matters to the community, but something that even home users can realistically achieve.
If I had to boil down my own contribution to a short summary, though, it would be something like this:
Organizations achieve reasonable security by wrapping layers of security around themselves rather than relying on a single magic bullet solutions. Reasonably well-protected individuals apply the same thinking (though normally at much less expense), but they remember that they are themselves an essential 'layer' of security.
As my old friend Ken Bechtel puts it: '...until we get people realizing they are PART of cyber defense in depth, we will always be responding to incidents.'