You are what keeps me up at night

Published 3:00 am Friday, April 20, 2018

The regulatory landscape for information management and data privacy in the United States is a large, rocky landscape. Each state now has its own version of data privacy breach notification requirements, many states enacted industry-specific regulations, and, at the federal level there exist a myriad of sector-based regulations and best practices. Many large organizations, with diverse products and geographically-dispersed customers often face scores of information security requirements.

Yet, despite the unique characteristics of the many different approaches, one common denominator emerges. One single threat, or, more specifically, one attack vector is clear: the human. That’s right, you, me, us – we are the weak link in the chain.

As a cybersecurity practitioner, I hate answering an often-asked question, “What keeps me up at night?” When I respond, “you”, the reaction is, well, vigorous surprise.

Sign up for our daily email newsletter

Get the latest news sent to your inbox

Of course I don’t mean “you” specifically, rather, the end-users, in general, the audience for whom the technology is designed.

Exploiting the human during a cyberattack is common. In fact, statistically, over seventy percent of the reported attacks in 2017, occurred due to human error. Approximately half of those successful attacks exploited the day-to-day end-user, the remainder were errors by the IT employees.

Attacking the human is successful, in part, because of human nature. Targeting the good nature, curiosity, and, eagerness of a person is simple. We want to help, we want to engage with technology.

Email, please come forward. Seemingly innocuous, benign, just simple correspondence that we employ frequently. Enhance a message with a bit of urgency, say, an IRS plea, a request for emergency aid, the Prince of a faraway land has some cash for you, and, the human dynamic will present itself quickly.

The act of “phishing” is an easy activity. Exploit human nature via email, send thousands of messages to the masses. Wait. Responses will arrive: usernames, passwords, banking information. Yes!, I want free money, here’s my banking information, I trust you, you internet stranger with good intentions.

In the first half of 2017, there was a near two-hundred fifty percent increase in phishing email activity. Phishing continues to be the number one method for theft of credentials and distribution of malware. By mid-2017, nearly one-hundred percent of all ransomware attacks occurred as the result of phishing emails messages.

We humans continue to present both opportunity and risk to ourselves and employers by opening phishing email messages, unsolicited attachments – it only takes one malicious engagement to take down an entire network, or, computing environment. The bad guys continue to use these common approaches for one simple reason: they work. We read email, we are curious.

Unfortunately, no technological safeguard will protect ourselves from ourselves. We must be aware, and, understand how to protect our computing environments. Some key methods for being vigilant follow.

Be suspicious of unsolicited email messages or texts. Check the sender before opening attachments or clicking links. If the message is odd, or, unexpected, contact the sender and inquire about the message. Observe poor grammar and oddly-designed imagery. Furthermore, avoid clicking on embedded links.

Do not use public Wi-Fi if possible. If a need arises, use public Wi-Fi only for casual internet browsing, do not log into secure services.

Use complex passwords. Do not create passwords that are easily-guessed. If available, activate two-factor authentication, a technology which interrogates a user for two authentication responses.

Never send personal or confidential information via email or text; use secure communications for sensitive transactions.

Be suspicious of emergency email messages. Financial institutions rarely contact users via email for emergency notifications; government agencies do not solicit personal information via urgent email messages either.

Protect yourself and your environment through awareness. It’s better to be safe, not sorry. Be cautious with everyday technologies and appreciate that bad actors will seek to take advantage of your human nature through our constantly-connected communication tools.

Verify when in doubt. Practice safe computing hygiene and keep the would-be hacker away.