Security Experts:

Defeating the False Sense of Cyber Safety

For multiple reasons, people generally don’t take cybersecurity anywhere near as seriously as physical safety

Self-preservation is a basic human instinct. We’re intrinsically and innately focused on avoiding physical harm, and that instinct is exercised and honed from an early age. It’s almost primal, passed down through the generations in some cases. Think about all the warnings you received as a child about not talking to strangers, touching hot stoves, and playing in the street. But in the modern era, it’s virtual safety that poses some of the biggest risks. Though this primarily impacts things like financial accounts, as we’ve seen in the case of recent attacks against hospitals and critical infrastructure, cybersecurity also can impact physical safety and security. 

As cybersecurity professionals, we have our work cut out for us. How do we change the paradigm and start transferring some of the same sensibilities we all have about physical safety over to cyber safety? It’s a huge challenge but one that must be addressed. Ransomware and cyber-attacks obviously aren’t going away; they’re just going to get worse. 

A false sense of (online) safety 

The discrepancy between real-life and online behaviors is often significant. How often do we see individuals do things like post a photo of their driver’s license on a social media site to celebrate learning to drive or share a photo announcing they are on vacation, with their home address geo-tagged? It’s so common that most people don’t even bat an eye.

Now, imagine someone standing up in a restaurant and showing everyone their license, or someone shouting their vacation plans and address to all their fellow customers in a grocery store. The scenario seems absurd. 

Yet, this is essentially what’s happening on all the time online – people are putting out their private and personal information for the world to see without a second thought. And the bad actors out there have noticed. That driver’s license information contains details that can be used to steal the individual’s identity, hack into their bank account, or execute social engineering attacks.

Social engineering attacks are carried out via actions such as “phishing” (fishing for information) through emails and texts, where users are tricked into providing their credentials, clicking on malicious links or attachments, or going to malicious websites. 

Security and convenience: Not mutually exclusive

While those of us working in cybersecurity leave and breathe it, we must remember that not everyone views it quite the same way as we do. To a certain extent, some aspects of cybersecurity are inarguably less convenient – at least, at face value. Multifactor authentication and having to remember multiple different passwords for different websites can be a bit of a nuisance at times, adding at least a few extra seconds every time you want to log in to any given app or website.

But in the long term, what might be perceived as a minor inconvenience in the moment can ultimately save someone from a whole lot of inconvenience in the future. It’s a lot easier to, for instance, use a password manager than it is to have to change all your account passwords, get a new bank card and credit card issued, and more in the event your information is compromised. 

About social media 

Social media use comes with an inherent amount of risk; there’s no sugarcoating that. While the safest thing to do would be to not use social media at all, that’s also not practical for a variety of reasons. People have come to enjoy the connection. Some use it for work, and for many people, especially teens and young adults, it’s an essential component of their social interaction and communication.

But there are ways to use it in a far safer manner. Those include making sure you’re using all the privacy protections and settings that each social media tool or platform offers and thinking carefully about what information you’re posting. Anything that includes personal details like home addresses, birthdays and financial information should be avoided – it’s little wonder we recently saw a rash of warnings telling people not to post your COVID-19 vaccination card. 

Changing the paradigm

Clearly, what’s needed is a mindset shift to make cybersecurity best practices into standard habits, in much the way things like looking both ways before you cross a street or locking your car doors are. And this is the million-dollar question: how do we actually do this? It’s certainly not going to change overnight, but that doesn’t mean it’s impossible.

The first step is education. Everyone should and can learn how to practice basic cyber hygiene. Good hygiene isn’t just the responsibility of your IT staff or for someone else to take care of. Steps to consider include: 

• Create stronger passwords – Don’t use any names, personal details – like your birthday – or company details to create passwords. Random combinations of uppercase and lowercase letters, numbers and symbols create the strongest passwords. Also, make them at least ten characters long.

• Take a basic class – There are plenty of organizations that provide free or low-cost cybersecurity training. Many employers provide this, as well, and the lessons you learn in these courses are equally applicable to your work life and your personal life. Cybersecurity hygiene can be taught from a young age. While elementary school students don’t need to worry about many of the intricacies, there are fundamentals that can be taught even to the youngest of students. Think of it as “cyber stranger danger.” There are resources available to provide age-appropriate cybersecurity guidance that can help set the foundation for years to come.  

• Know the risks – Understanding the implications and potential risks that can result from social media and online activity is key to helping understand why you need to take cyber safety seriously. Pay attention to warnings about the need for VPN and multifactor authentication for more secure access.

• Think about trust – In today’s online world, it should be about “zero trust.” That’s a technical term, yes, but it relates to how you approach the security of your data and the workplace. 

• Consider your use of cyber space like you would think about traveling. For instance, when you visit somewhere new, you’re typically on higher alert than you would be at home, and more attuned to the potential dangers around you. A similar mentality needs to be exercised when virtually “leaving” home (for the digital world.)

Creating security natives

For multiple reasons, people generally don’t take cybersecurity anywhere near as seriously as physical safety. We’ve yet to evolve to a point where cybersecurity is part of our primal instincts. However, the reality is – especially as we see an increasing number of recent attacks against critical infrastructure – cybersecurity and physical security can be intrinsically linked. We hear the term “digital native” a lot; it’s time to create “security natives.” Old habits die hard, but they do die – and in this case, they must. That’s why it’s so important to create strong cyber safety habits and start the education process as young as possible.  

view counter
Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.