An ever-present concern in IT is Cyber Security. The media have lurid tales every day of how XYZ Corporation was hacked, and customer’s financial information or intellectual property was stolen. Often XYZ Corporation is a well-known household name.
Hacking and general misbehavior over the Internet are on the increase. Many CIOs will tell you that attacks are increasing in frequency and ferocity. Attackers are using new vectors and new techniques to hook unsuspecting users. DDoS attacks are using much greater bandwidth to prevent website owners from keeping their sites open. The FBI has stated that ransomware is the quickest growing malware around, and is now a multi-billion dollar industry.
IT Departments have gone to great lengths and expense to secure, as best they can, corporate networks from external attack — home environments, less so.
However, the FBI has also stated that the most significant Cyber Security risk sits between the keyboard and the chairback. In short, the enemy is already inside the gates. This is because the most significant vector for distributing malware is phishing, and to be successful, it requires a user to fall victim to it.
Recognizing this, many organizations have made user education a substantial part of their Cyber Security arsenal. ISPs and commercial companies like finance houses regularly make security awareness part of their customer interactions.
However, familiarity breeds, if not contempt, complacency, and the typical program looks something like this:
A new recruit/user is assigned access codes to the corporate network and systems, their security level depending on their role.
HR takes them through the network policy in a company, but because they are HR, this is often just, “Here’s a copy. Read it”. Private individuals are asked to accept Terms and Conditions that they don’t read or are directed to a webpage to read then accept, again without reading.
If the new corporate user is a remote worker, they might not even get that, just an email with their access credentials and the policy as an attachment.
A regular email or a banner on the landing page reminding them of network security policy and urging them to be careful.
Sometime after they have left, IT is asked by HR to deactivate their account. Private individuals often retain the account and just stop using it.
A successful program requires persistence. HR tends to ignore existing users in a company, and the program falls away into background noise after a while. Reinforcement emails are ignored.
That is why many industry experts see many Cyber Security programs as paying lip service only, and caution that in general, security awareness is at a low level, and is not sufficient.
Individuals can break security protocols with ease:
The most common way to introduce malware is to fall for a phishing email.
Users receive an email from someone looking like a friend or colleague, or a trusted institution like their bank. But it’s not. A hacker hopes that the recipient will open a malicious link, leading them to a fake website where their important credentials will be harvested or malware downloaded.
In 2020, it is estimated that around 3 Billion fake emails are sent every day.
Users need to look out for discrepancies between the sender and the link address, odd language constructions, and anything suspicious.
Most desktop computers have slots into which you can attach removable devices. Some have DVD/CD drives, and more commonly nowadays, USB ports for flash drives. Both are serious security risks and should be disabled for normal corporate users.
Users can use flash drives to transfer information between home and work. The home computer is less likely to have up to date and complete anti-malware protection. It may be used by more than one person in the household.
Many households with more than one device have home WiFi networks. For example, some families use their home network and Internet connection to download and play networked games. Again malware can easily be transferred from a games-based computer to a flash drive taken to work.
Far too often it is easy to guess passwords, or they are written down. A post-It on the monitor, on the back page of a diary, or even on the mousepad is common.
Consumer Security awareness is not an option.