Scurvy Awareness

A Return to Fundamentals in Information Security
“Scurvy Awareness” is a public service campaign from the Summercon Foundation, built on a simple observation: we have not forgotten how to secure systems--we have forgotten to do the basic things consistently.

For a long stretch of human history, sailors knew how to prevent scurvy. Citrus worked. Fresh food worked. The solution was simple, practical, and widely understood.

And then, somehow, we forgot.

By the time of the great polar expeditions, crews were once again suffering and dying from a disease that had already been solved generations earlier. The knowledge had not vanished, but it had become inconsistent, unevenly applied, and in some cases ignored in favor of newer ideas that felt more modern and more scientific.

For a deeper history, see Stephen R. Bown’s book Scurvy: How a Surgeon, a Mariner, and a Gentleman Solved the Greatest Medical Mystery of the Age of Sail or the Wikipedia article on scurvy.

Information security has a similar problem. The industry does not lack tools, frameworks, or innovation. What it often lacks is consistent execution of the basics.

Scurvy Awareness is a reminder that most failures are not caused by a lack of sophistication. They happen because the fundamentals are neglected.

Back to Basics

  1. Use strong, unique passwords everywhere. Password reuse remains one of the most common and preventable failure modes.
  2. Enable multi-factor authentication. MFA matters most for email, cloud platforms, remote access, financial systems, and administrative accounts.
  3. Maintain an accurate asset inventory. You cannot protect what you do not know exists.
  4. Keep systems up to date. Most large-scale compromises still rely on known vulnerabilities that organizations have not patched.
  5. Control administrative access. Limit privilege, separate administrative accounts from daily-use accounts, and review access regularly.
  6. Be deliberate with email and links. Phishing works because people are busy, distracted, and trained to move quickly.
  7. Back up critical data and test restores. A backup strategy is only real if you know the restore process works.
  8. Log and monitor key systems. Visibility is required for detection, investigation, and response.
  9. Understand your external exposure. Regularly review what is accessible from the internet, including forgotten services and old test systems.
  10. Practice incident response. Know who makes decisions, who communicates, and what has to happen first when something goes wrong.

You do not need to do everything at once, but you do need to do these things reliably.

Scurvy was not defeated by complexity, but by consistency.

Continue to Summercon now
Automatically continuing in 60 seconds.