Human behavior hasn’t changed and good people still get duped
When clients move their systems, data and infrastructure to the HITRUST Certified MX2 Platform, they are getting something more than just managed IT in a highly secure, compliant, and monitored environment. They are getting our knowledge as well.
If we were to onboard your company, I’d want to read your IT policies, understand your internal controls in terms of who has access to what and when, and to understand your security training program. If you didn’t have any of them, we’d help you develop them. Of those three, the one I’d want to get after first is cybersecurity training. As I have written (and said) over and over—your own people are the biggest threat to the security of your systems.
It’s been more than 20 years since the ILOVEYOU virus came out. It was the first headline making, worldwide malware attack that I can recall. If you are old enough, you probably remember that in less than 10 days, it went around the world, affecting 50 million computers and costing many billions of dollars. What you might not know is that the Philippine college student who developed it was the farthest thing from a criminal mastermind: He wrote the virus so he could get free internet access. This was long before he would have been able to jump on an unsecured wi-fi signal.
A lot has changed in 20 years—wi-fi being one of them of course. Then there is the degree to which businesses large and small rely on information networks, which would have been unimaginable in 1999. The same goes for the frequency and simplicity with which we make major financial transactions using just a telephone. The iPhone only came out in 2007. Today mobile computing has become so commonplace, we don’t even call them smartphones anymore.
Something else has changed too: the sophistication and motivation of hackers and cybercriminals. The cyber attacks we face now are more malicious: usually identity theft or ransomware, both of which have the same motivation: making easy money for the bad guys.
What hasn’t changed, however, is human behavior. Something unexpected but welcome, or at least enticing, gets folks to put down their guard long enough to click on what looks like a legitimate link or file. Many times, the people who get duped thought they were doing something good.
And it happens all the time. For the most part, anyone in your office under 40 has grown up with the internet and email, but that doesn’t mean they are better at sniffing out phishing scams. The Identity Theft Resource Center recently released its 2021 annual report. It found that publicly reported data compromises went up 68 percent from 2020—and that’s just the publicly reported crimes. It’s impossible to say how many private businesses never report a breach. You can be sure the number is higher.
That’s why, in the first town hall we hold with your people, I will emphasize online situational awareness. It’s not much different from driving a car—you have to be aware of your surroundings all of the time to be safe. Even when you are on autopilot, when something doesn’t look right, you slow down or steer away from it reactively. Awareness needs to be the same online as it is on the freeway.
Even if an email comes from a legitimate address—from a person or a company you interact with regularly perhaps—it could be a cyber attack. If you notice any of these red flags—hit the brakes. Does the language sound off? If you know Divyash, for example, and he communicates with you a certain way, is his writing style suddenly different? Is he asking you to confirm your own information, things he should already know? Is he asking you to change a process or a protocol you have had in place—perhaps for a legitimate sounding reason. All those things would make me slow down. A good rule of thumb is this: If anything seems off in an email, listen to your intuition first. All it takes is a phone call to confirm if Divyash’s requests are on the level.
Of course, there is more to it than that, but you get the idea. Then each quarter as the tactics and strategies of cybercriminals change end evolve, we’ll come back to give security updates.
To make sure our training sticks, we’ll enroll your people in MX2’s Scam of the Week. We’ll randomly select a certain number of accounts and send them a harmless phishing email that duplicates what the bad guys are doing. If your user opens it and starts filling out information, that user gets flagged. The same thing happens if they click on a link they shouldn’t—flagged. When a person gets flagged, they will be prompted to take a 30-minute refresher training on security. Will your people hate it? Certainly. Is it effective? You bet.
Back in the 1980s, the IRA tried to kill England’s Prime Minister in a hotel bombing. They failed to assassinate Margaret Thatcher, but they did kill and wound many others. The statement they released could have been written by any hacker: “Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.”
Luck is not an adequate security strategy. If you are interested in continuing a conversation about how we work to keep you safe, please get in touch. Every situation is unique—so you’ll get our thoughts on your situation in a no-obligation call.
