You Are the Security Flaw
The least secure aspect of our modern world: people.
Hacking is a complex term often subject to the largely inaccurate stereotypes portrayed in mass media. Its usage often leads people to visualize young men with poor hygiene in dark rooms furiously hammering alien commands into a terminal. Headlines like “Why The Largest Cyberattack In History Could Happen Within Six Months” elicit similar images and stoke fears. Spoiler: the author of that piece believes that the massive amount of people suddenly working from home opens up huge vulnerabilities at countless companies and organizations around the world, and he makes a valid point.
Rather than worry about their devices getting hacked, regular people should be much more concerned about falling victim to social engineering schemes.
Most hacking involves both defacing or otherwise damaging computer and network systems as well as taking or demanding money. The physical world comparisons might include crimes like trespassing, vandalism, and theft.
Exceptional events have occurred in the history of compromising computer and network security. There have been highly skilled and coordinated efforts to break into electronic systems that have been professionally locked down. Similarly, there have been exceptional crimes in the history of trespassing, vandalism, and theft.
In both cases, the few notable events that get the most attention are not generally representative of the overall situation. The much more common events are smaller in nature, they randomly target regular people, and are often crimes of opportunity. Opening an unlocked door; accessing a network with a default password; grabbing a person’s wallet when they’re distracted; grabbing a person’s credit card details from the dark web. There is no complexity. It is simply a matter of trying these easy options enough times and eventually they will eventually pay off.
There are certain obvious recommended practices that everybody should follow when driving their car: wear their seat belt, use headlights if it is dark or poor visibility, be mindful of the speed limit, be mindful of road and vehicle conditions, etc. All of these apply to all drivers in all cars regardless of their driving skill, history, or destination.
Similarly, using the internet comes along with (what are hopefully) obvious recommended practices everybody should follow: use randomized unique passwords for each account, only connect to secure encrypted networks that you are familiar with, only use secured HTTPS communication with valid SSL configuration, be mindful of the latest trends in phishing scams, be wary of spam, etc. All of these apply to all users of the internet regardless of their background or their particular internet usage.
Millions of spam emails are sent everyday and while many are caught by automated spam-blocking tools, people still fall victim to related scams all the time. Just a few months ago, a staff member for one of the stars of the Shark Tank television show was scammed out of nearly $400,000 with a scheme that started with a bogus email. While the money was eventually recovered, this example goes to show that this activity is still going on and it can still be successful even when victimizing powerful and savvy people.
Another example that many people do not consider is inadvertently allowing physical access to areas with computers on an otherwise secure network. If you’ve never tried this, you’d be amazed at what anybody can get away with as long as they appear to belong. There are endless options for disguises: jumpsuit with a water jug for delivery, nice shirt with a clipboard for a brief inspection, full suit and briefcase for an executive meeting, jeans and a hardhat for a quick facilities matter, etc. A skilled manipulator can usually buy themselves plenty of time to deposit a virtual payload (e.g. malware) in the target environment and vacate the premises long before anybody recognizes that there may have been an intruder and then responds in some way.
If somebody tries to break into Fort Knox or any other notoriously secure facility, news media will certainly cover the incident and later there may be a documentary or even a full blown Hollywood flick. If somebody tries to break into your house, chances are that no media will be interested and you may even struggle to get proper attention from your local police.
The wild stories of infamous criminal activity naturally grab our attention for several reasons. The daring and high-stakes risks taken by the criminals are exciting; we often try to imagine what we would do in a similar situation. Additionally, there is a social bonding of sorts that occurs when we, the general public, join each other in the audience of whatever event occurred. Many millions of people have heard about Fort Knox and are at least generally aware of it; relative to that, virtually nobody has heard about or is aware of your house.
These facts contribute to our lopsided focus on infamous crimes and our tendency to ignore or otherwise downplay other crimes like thefts that involve unfamiliar people, places, and things. The same dynamic is playing out in the world of cybercrime. Everybody is talking about the massive attacks on major corporations or governments; most recently, there has been media coverage of coordinated hacking campaigns focused on medical research facilities, presumably in connection with COVID-19. Meanwhile, everyday thousands of people are falling victim to scams via email spam, social media messages, text messages, and phone calls.
It is impossible to gather comprehensive and accurate statistics to compare the relative prevalence and success of the more noteworthy cybercrime and the more common everyday cybercrime. Certainly the criminals don’t report their numbers, and any supposedly reported numbers from their side are highly questionable. On the other side of the interaction, the news media often reports that a certain number of millions of dollars are lost each year on cybercrime. Those numbers are generally based on two things: corporations self-reporting and estimates about the general population. Corporations may self-report these instances for public relations or legal reasons; the average person often does not report their experience or, if they do, they often don’t fully report all aspects of the crime due to embarrassment.
The statistics, the news media, and our own psychology all point us in the direction of focusing on the Fort Knox’s of the cyber world; all the while, millions of people are regularly targeted and victimized by small-scale cybercrime.
Except for people who actually work in the field of cyber security, it isn’t our job to try to secure networks and devices that belong to other people, whether it is Fort Knox or the neighbor’s house. It is our responsibility to keep our networks and devices secure and also use the internet safely. We can do that by staying up to date on the current trends and generally being wary of any possible scam or attempted cybercrime.
One easy way to start, if you haven’t done so already, is to use a password manager so that you can use complex and unique passwords for all of your accounts. A password is like a key to a lock and using the same one is like using the same key for every lock. Additionally, since everything online leaves a trace, it’s like taking photos of your one key and leaving them everywhere you use it. A criminal just needs one of those photos and then every lock you have is compromised. However, with complex and unique passwords for all of your accounts, a criminal that somehow obtains one of the passwords will only have access to that one account, drastically limiting how much harm they can inflict. The additional step of regularly changing your passwords provides further security.
While it isn’t always easy, it is in your best interest to remain vigilant and on the lookout for cybercriminals who may be trying to target you. The point isn’t to be afraid of everything but rather just be careful with what is important to you. Like driving down the highway, using the internet is risky and bad things happen to people all the time. You can dramatically lower your chances of becoming a victim by following recommended procedures (like using a password manager) and being just a bit more careful than the average person.
Common criminals, cyber or otherwise, are looking for the easy score and will quickly pass you by if there are other potential targets that are more appealing. Like running from a vicious wild animal, you don’t need to be the toughest or hardest to catch. You just need to avoid being the weakest or easiest to catch.
