Me, you, the people to our left and right.
Let’s accept that most (or all?!?) of the I.T. breaches you hear about are caused by us. We clicked the wrong thing in the wrong email and installed ransomware.
We wired money from our business checking account to a thief because our CFO told us to. Or so we thought! Turns out the CFO didn’t tell you to . . . a “bad guy” did.
We used a password of “Password1” and thought that no one would ever guess that. Heck, it uses text characters, a numeral and a capital, right? Yup, someone guessed it and logged into your email.
Hackers don’t need to hack computers anymore. They just need to hack people. Me and you.
Three points from Verizon’s 2017 Data Breach Investigation Report1
- 81% of hacking-related breaches leveraged weak/stolen passwords.
- 66% of malware was installed via malicious email attachment.
- 95% of phishing attacks that led to a breach involved some sort of software installation.
So, weak passwords and software installed via people clicking malicious email attachments are responsible for a whole bunch of bad news.
Why is it so easy to deceive us?
Let’s start with the obvious: Hackers are clever.
When you get paid to deceive people, you get good at deceiving people! These crooks spend days, months and years fine-tuning their attempts to trick you. And they don’t need to trick everyone – just you. A single ransomware infection can bring in thousands of dollars.
A little less obvious: We’re all really busy.
If you’re reading this article in Business NH Magazine, you’re likely involved in business which probably means you’re really busy. We should probably petition Merriam-Webster to redefine “businessperson” as “really-busy-person”!
And because we’re really busy, we don’t always give everything our full attention. We can’t. There aren’t enough minutes in the hour. We multi-task. We rarely give our undivided attention to the information sitting right in front of us.
Like the 7 emails you got while reading this article. You’ll scan them, pull out what you deem important and disregard the rest. You have to!
As long as we’re giving our technology only a portion of our attention, the bad guys will always have an advantage that I.T. and security pros can never compete with.
Hackers and other bad guys are counting on this!
They are counting on the fact that if they create an email that mimics the look and feel of your credit card company’s website, you’ll click on it and enter your password without thinking. And after you do so, they’ve recorded your password . . . the same one you probably use on 40 different websites.
They are counting on the fact that you receive daily shipments from FedEx and wouldn’t think twice about clicking on an attachment that purports to give you tracking information on that package you ordered. Of course, the attachment instead infects your server with ransomware.
To protect our networks from these attacks, we brag about firewalls, patches, antivirus, antimalware, monitoring, content filtering, group policy and a host of other security measures. All are necessary and serve a purpose, yet the problem remains that we’re still being hacked and stolen from regularly.
It’s time that we stop making it easy for the bad guys. Let’s not invite trouble! Do not welcome hackers into your corporate and personal life!
And let’s take some responsibility for training ourselves and understanding the technology that we take for granted.
If we, as a group of business-people, were better about assuming ALL attachments, links, emails, and software were malicious until proven otherwise, we’d be a lot more secure.
No one would wire money to a fraudulent bank account if they physically went to see or called the intended recipient to confirm that the request was valid, and not fraudulent.
End-user training is essential.
I.T. professionals have some tools and strategies that help us better document and understand what types of fraudulent emails are deceiving your employees and who those employees are.
One of our favorite strategies involves identifying and correcting the “urge to click”. We use a product from KnowBe42 (there are others, as well) that attempts to trick end-users into clicking “bad” things, using the same methods that the hackers use. However, the tools we use don’t have malicious outcomes. We attempt to deceive the end user and then notify them that the link that looked like a Facebook login was actually a rogue link that could have been be used to install ransomware. The goal is to identify and train the most susceptible end-users to look at emails a little more cautiously and recognize what a threat might look like.
As I.T. / Security pros, it’s quite literally us vs. millions of potential hackers. It’s a fight we can’t possibly win without your help.
And let’s be clear: I’m not claiming that we can eradicate malware by reading our email more thoroughly. Nor am I expecting everyone to be a security expert. I AM claiming that by changing the way we react to and deal with email (and other technologies), we can turn the tables on the bad guys and take the advantage away from them.