Wednesday, June 30, 2021

Cybersecurity: Focus on the people, not the technology

 

Over the last few months, I’ve written a lot about cybersecurity, yet many of you may have noticed that I didn’t talk a lot about technological defenses such as software that you can install on your devices to detect  and block viruses and malware, or things like VPNs, which can help anonymize you so hackers –  or even the companies you do regular business with – can’t track you across the web.

Neither did I talk about rules you could set up to prevent spam and fraudulent e-mails from reaching your inbox or browser add-ins you could install to block you from going to malicious websites which try to trick you into revealing your personal information or downloading spyware.

It’s not that these things aren’t important – because they are – but I’ve noticed that when you start taking about stuff like that, a lot of people’s eyes start to glaze over. It all sounds very complicated, and many people don’t understand it or lack the confidence or competence to set it up themselves.

Another reason I avoided talking about these things is because having all the best security technology in the world doesn’t guarantee you won’t become a victim of cybercrime. 

Just ask the folks who run the Colonial Pipeline  and JBS Foods.  Both these big companies have a
department full of IT folks equipped with some pretty sophisticated equipment, yet both got hit with ransomware attacks in May and both had to pay a huge amount of money to get their data back. 

You see, technological defenses can only go so far in keeping you safe. As I talked about in my January post, it’s the human factor that always proves to be the weakest link. Inevitably, when a cyber attack succeeds its because some user, somewhere, clicked on something they shouldn’t have. 

Look, I’m not laying the blame solely on intentionally careless users. Most folks I know try to be careful, but either don’t understand why they need to follow the guideless their IT folks say they should or find all the procedures and checklists too complicated or hard to remember. And frankly this is the fault of us IT folks for making things way more complicated than they need to be.

Instead of concentrating on the technical aspects of keeping people safe, we IT folks need to take a more people-centric approach to cybersecurity. We need to make its concepts more tangible to what people do in the real word without really thinking about it. 

For example, if you asked most folks if they would leave the key to their house under the door mat where every burglar in the world knows to look for it, or ask them if they’d leave their wallet or purse unattended in a public place or if they’d give a complete stranger their credit card, social security number or bank account number, I’m sure 99.999999 percent of them would say no. 

It’s just common-sense safety procedures we were all taught as kids and don’t think twice about. We just do it without thinking because it’s so ingrained in us. 

And that should be the goal of every IT professional. Get users to think about cybersecurity in same way they think about their safety and security in the real world. 

For example, no one would secure their valuables with a padlock which only had a one-digit combination. Anyone could open that lock in seconds by just trying every number from 0 to 9 until they got the right one. Furthermore, they wouldn’t use that same one-digit combination on every lockbox they owned. That would be crazy, right?

 Yet in 2020, over 2 million people used “123456” as their password!  

But having so many passwords is hard to remember, they’ll say. To which I’d answer: So, it is remembering what all the different keys on your keyring are for, but you don’t have a single key that opens all the doors in your house, car, office, or deposit box do you? It would be too dangerous if you lost it.

The key (if you’ll excuse the analogy) is to get people to see that cybersecurity isn’t some new nebulous thing they need to master but just an extension of their everyday, real-word safety habits that they’ve been practicing all their lives. There’s no need to master any new skills.  They just need to apply the skills they already have to the virtual world as well as the physical.

I really believe that this people-centric approach to online security is vastly superior to any technological solution we could come up with. If we can get people to view that fake e-mail from a bank with the same suspicion they’d give to a stranger who just knocked on their door and claimed to be representative from their bank, then there would be little need for all that super-complicated technology.

I hope that this series has helped you to better understand this and see that keeping yourself safe out there in cyberspace isn’t as complicated as you might have thought. 


Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)