Is it time to hold OURSELVES responsible for malware, viruses, ransomware and hacks?
If I was “duped” into wiring $10,000 out of my company’s bank account to a malicious recipient am I at fault?
Tough questions, but perhaps those are the questions we should be asking.
Your company takes precautions to combat malware. Those measures cost time and money. It’s a game of cat and mouse and the “bad guys” are always one-step ahead.
But why is that? Why can’t we stay ahead of them?
HERE’S WHY: Because the bad guys count on You and I to be careless and curious.
In almost every case, malware is “allowed” onto our devices by us. We clicked something. We opened something. We allowed something to run. WE gave the bad guys permission to hurt us. Malware rarely “appears” on our devices without our permission.
The bad guys know that business people multi-task and rarely give their full attention to the information sitting in front of them. They know that when we read an email, we’re reading mere snippets of it, perhaps while we’re also on the phone, perhaps while we’re watching a presentation, or even watching TV.
We’re giving half of our attention to the email in front of us, and the other half to what’s going on around us.
You’re probably skimming this article. Am I right? : )
And that’s why it’s difficult to detect the difference between an email from JOHN@YOURCOMPANY.COM and JOHN@Y0URCOMPANY.COM. Those two email addresses are NOT the same.
Carelessness and curiosity are also why people are so quick to open an attachment that contains a virus. When there’s an email attachment the default reaction is to open it. But WHY? We have no idea what that attachment is. We know from experience that it COULD be malicious, yet we open it anyway.
Working in I.T., we apply thick layers of security on our computers, our phones, the corporate network, and even the entire internet. We can layer it on until our computers, tablets and phones become cumbersome to use.
But as long as we’re giving our technology only a portion of our attention, the bad guys will always have an advantage that the I.T. and security pros can never compete with.
Who’s to Blame?
So back to the original question: If I was “duped” into wiring $10,000 out of my companies bank account to a malicious recipient am I at fault?
Do we, as end-users, have a responsibility to know better? This isn’t theft at gunpoint. This is someone who sent an email that “looks” like it came from the CFO of our company and asked us to wire money. And we did it. And many other have done it, too.
Do we bear any responsibility for that? If someone called on the phone and asked us to wire $10,000 would we do it without significant verification?
Or perhaps we opened an attachment that encrypted (and held for ransom) hundreds of thousands of files on our computer and our company’s servers. Why did we open the attachment? Were we expecting that exact attachment from that exact sender? Or did we open it because, well, it was there?
This isn’t a blame game – the bad guys are 100% in the wrong and we’re the victims.
Business should do what it can to protect itself and its employees. Protection can take the form of policy, preventative measures, effective security equipment and end-user training.
It’s time, however, that we stop making it easy on the bad guys. Let’s not invite trouble! Do not welcome the bad guys into your corporate and personal life! And let’s take some responsibility for training ourselves and understanding the technology that we take for granted.
The Overly-Simplified Solution:
Help your company – and yourself – stay ahead of the bad guys by exercising caution. Raise an eyebrow to that email attachment! Don’t click that link from your bank just because you can! And certainly never transfer money anywhere until you are 100% convinced that it’s the right thing to do.
As I.T. / Security pros, it’s quite literally us vs. millions of hackers. It’s a fight we can’t possibly win without your help.
I’m not claiming that we can eradicate malware by reading our email more thoroughly. Nor am I expecting everyone to be a security expert. I AM claiming that by changing the way we react to and deal with email (and other technologies), we can turn the tables on the bad guys and take the advantage away from them.