It’s our fault. Me, you, the people to our left and right. Let’s accept that most (or all) of the IT breaches are caused by us. We clicked the wrong thing in the wrong email and installed ransomware.
We wired money from our business checking account to a thief because our CFO told us to do so. Or so we thought. Turns out the CFO didn’t tell you to — a “bad guy” did.
We used a password of “Password1” and thought that no one would ever guess that. Heck, it uses text characters, a numeral and a capital, right? Yup, someone guessed it and logged into your email. Hackers don’t need to hack computers anymore. They just need to hack people. Me and you.
Need proof that we are the biggest threats to our own digital security? Consider these three points from Verizon’s 2017 Data Breach Investigation Report:
• 81 percent of hacking-related breaches leveraged weak/stolen passwords.
• 66 percent of malware was installed via malicious email attachment.
• 95 percent of phishing attacks that led to a breach involved software installation.
So, weak passwords and software installed via people clicking malicious email attachments are responsible for a whole bunch of bad news.
Why is it so Easy to Deceive Us?
Let’s start with the obvious: Hackers are clever. When you get paid to deceive people, you get good at deceiving people. These crooks spend days, months and years fine-tuning their attempts to trick you. And they don’t need to trick everyone—just you. A single ransomware infection can bring in thousands of dollars.
A little less obvious: We’re all really busy. If you’re reading this article, you’re likely involved in business, which probably means you’re really busy. And because we’re really busy, we don’t always give everything our full attention. We can’t. There aren’t enough minutes in the hour. We multi-task. We rarely give our undivided attention to the information sitting right in front of us. Like the seven emails you got while reading this article.
You’ll scan them, pull out what you deem important and disregard the rest. You have to.
As long as we’re giving our technology only a portion of our attention, the bad guys will always have an advantage that IT and security pros can never compete with.
Hackers and other bad guys are counting on the fact that if they create an email that mimics the look and feel of your credit card company’s website, you’ll click on it and enter your password without thinking. And after you do so, they’ve recorded your password—the same one you probably use on 40 different websites.
They are counting on the fact that you receive daily shipments from FedEx and wouldn’t think twice about clicking on an attachment that purports to give you tracking information on that package you ordered. Of course, the attachment instead infects your server with ransomware.
Stopping the Bad Guys
To protect our networks from these attacks, we brag about firewalls, patches, anti-virus, anti-malware, monitoring, content filtering, group policy and a host of other security measures. All are necessary and serve a purpose, yet the problem remains that we’re still being hacked and stolen from regularly.
It’s time that we stop making it easy for the bad guys. Do not welcome hackers into your corporate and personal life. Take some responsibility for training to understand the technology that we take for granted. If business people were better about assuming all attachments, links, emails and software were malicious until proven otherwise, we’d be a lot more secure.
No one would wire money to a fraudulent bank account if they visited or called the intended recipient to confirm that the request was not fraudulent.
End-user training is essential. IT professionals have tools and strategies to help us better document and understand what types of fraudulent emails are deceiving your employees and who those
employees are.
For starters, identify and correct the “urge to click.” This involves using a product from KnowBe4 (there are others, as well) that tests and trains workers on phishing and ransomware tactics without the malicious outcomes.
The security awareness programs are used to attempt to deceive the end user and then notify them that the link that looked like a Facebook login was actually a rogue link that could have been be used to install ransomware. The goal is to identify and train the most susceptible end-users to look at emails a little more cautiously and recognize what a threat might look like.
Let’s be clear, you can’t eradicate malware by reading email more thoroughly. And not everyone is expected to be a security expert.
However, by changing the way we react to and deal with email (and other technologies), we can turn the tables on the bad guys and take the advantage away from them.
Kurt Simione is owner of Technology Seed, an IT support firm in Salem. He can be reached at 603-458-7190, ksimione@tseed.com or TSeed.com.
Current Issue - May 2024