Some of the scariest movie baddies are computers or robots. Well, they are pretty much the same, but robots can be even more terrifying because they can walk around and shoot guns while riding motorbikes.
In fact, computers are so often the enemy in horror and action films that we should probably make a new genre. We could call it ComHorror, or RobotCore. Something like that. The movie genre would include Terminator films (killer robot Arnie and the killer robot T-1000), the Matrix (Agent Smith et al.), WestWorld (almost every character), and the scariest of them all, 2001 (for HAL).
But why are all these characters so scary?
Well, let me suggest one reason. They have no empathy. They are faultlessly logical, and have no regard for such silly human inventions as love and friendship, and being kind to people.
Here, you can take Sherlock out of the equation. Though he is a human, he is also sort of not. His cleverness is his super-power, but it is based on a casual disregard for other people (perhaps caused by too much opium, but still). Just think of the last series, where he proposes to his girlfriend only to get into a locked room. Pretty callous, but useful nonetheless.
All these characters are scary because they don’t have some of the most basic features that we all share as humans (unless you’re a bot, in which case ignore this part). Humans have some basic needs that need to be met: friendship, status, love, etc. Most of us also like being helpful to others, and helping out when our neighbor has a problem.
These needs make us, well, human. But, seen from a particular perspective, they also make us weak. And – to be serious now – they also make us incompetent when it comes to IT security.
Human Vs. Machine
The serious point to be made here is this. Companies spend millions of dollars deploying state-of-the-art IT security systems, but these systems are often undermined by humans, who are either too nice or too sloppy.
You don’t need to look far for evidence of this. Phishing scams are one of the oldest cyber threats around, and they all rely on a simple principle: people like to help each other out, particularly if there is a reward involved.
Remember those ‘Nigerian Prince’ emails? The ones where a ‘Nigerian Prince’ needed your help to move thousands of dollars out of the country via your bank account? The ones that thousands of people fell for in the early days of the internet. Back then, we were all naive and thought the internet was a magical fairyland and that everyone online was nice.
Phishing scams like those are just the tip of the iceberg, unfortunately. At every level of the security chain, it seems that humans are the weakest link.
According to a report by code42, for instance, 78% of security professionals think that the biggest threat to IT security is negligence among employees when it comes to security practices. Baker Hostetler’s 2017 Data Security Incident Response Report, which incorporated data from the 450 breaches in 2016, found that 32 percent of incidents were initiated by human error, while 25 percent of attacks involved phishing, and 23 percent were initiated via ransomware. Another 18 percent of comprises occurred due to lost or stolen devices and three percent reported internal theft.
Here’s the headline figure, though. IBM’s 2015 Cyber Security Intelligence Index found that 95% of cybersecurity breaches are due to human error. More than half of these security attacks were caused by individuals who had privileged access to organizations’ IT systems, but still. 95%!
I’ll let that sink in a moment.
95% of cyber threats are caused by humans.
Maybe we should stop talking about ‘cybersecurity,’ and start referring to ‘human security.’
Social Engineering Attacks
How do these attacks work? In most cases, they rely on humans being willing to help out other humans. Though most people wouldn’t fall for an email that said ‘Hey, it’s your friend here, can you send me your passwords and social security number and bank details? I want to send you a present!’, this is – essentially – how most human-focused cyber attacks work.
Sometimes, attacks like this are given a fancy name, ‘Social Engineering Attacks,’ but in reality, they are based on confidence tricks that have been around for thousands of years.
That said, as IT security gradually improves at the tech level, attacks that target humans are increasing. More often than not, attacks like this are specifically targeted. Research is often performed on individuals before contacting them, usually through social media and company websites, to skim valuable information that can provide credibility to an email, or even a phone call. This is called ‘spear phishing,’ and can encourage people to install malware on their computer or give away personal information and passwords.
Around 60 percent of businesses got trapped in a social engineering attack like this in 2016, and Symantec’s 2015
For Symantec, in fact, this kind of attack now represents such a threat that it has shifted the playing field in cybersecurity. “This is the next evolution of social engineering, where victims are researched in advance and specifically targeted,” they said in a recent Internet threat report, “the very nature of social networks makes users feel that they are amongst friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims.”
That might make it sound like social engineering attacks are all high-tech, specifically-targeted, sci-fi projects. The reality, unfortunately, is that hackers can achieve a lot by exploiting the sheer niceness (let’s call it naivety) of employees.
I’ll give you an example. A common type of attack involves an attacker blagging their way into a company’s building. That can be achieved, in most cases, by simply hanging around outside and waiting for someone to open the door for you. ‘I’m Tim from IT. I lost my card, thanks for letting me in!’. Then they can leave a CD (remember those?) in a breakroom, with ‘IMPORTANT SECURITY UPDATE: PLEASE INSTALL!’ written on it, and full of malware. You’d be surprised how often that works.
If at this point you think that people must be stupid to fall for a trick like that, that’s exactly my point. People aren’t stupid, but they are nice, which when it comes to IT security is kind of the same thing. For proof of that, remember that the wife of the director of the FBI banned him from using online banking because she was worried about his lack of caution. I’d guess (and hope) that he’s not stupid.
Instead, what these examples prove is the danger of two aspects of being a human. One is that we like to help each other out. Sadly, though, we live in a world where this good nature is regularly exploited by hackers to gain access to your systems and data. Second, humans love their routines, but hackers can use these regular habits.
If I ask you how many traffic lights there are on your journey to work, you probably wouldn’t tell me. Likewise, when elements of our job become routine, we become less conscious of what and why we do certain things. This can be incredibly dangerous to businesses, as this lack of mindfulness can lead to accidents.
Ditto with other aspects of our online lives. Loads of people use email, social media, and texting so often that they do so largely without thinking. When media usage becomes routine like this, people become less and less conscious of which emails they opened and what links or attachments they clicked on, ultimately becoming barely aware at all of anything.
What to do about it
Um, well, think like a machine. The next time your friend asks you to pick up coffee on your way to work, compute a cost-benefit analysis. Will getting them the coffee brings an increased friendship quotient that outweighs the calories you burn in carrying it?
What you need to do is to teach your employees (or yourself) what a cyber threat looks like. Spotting a phishing scam might sound pretty easy, but a lot of people still fall for them, so start there. You could even send some fake ones if you are feeling mischievous, and see if anyone falls for them.
Other basic security measures include implementing multi-factor authentication, creating a forensics plan to initiate a cybersecurity investigation quickly, building business continuity into the incident response plan to ensure systems remain stable, vetting the technical ability, reputation and financial solvency of your suppliers, deploying off-site or air-gapped back-up systems in the event of ransomware, and acquiring the appropriate cyber insurance policy.
Ultimately, what you are aiming for is to make your employees as aware of cybersecurity as they are of home security. In the same way that you would teach a child to look both ways before crossing the street, your employees need to understand how to assess the risk of ‘helping’ someone outside of your organization by giving them information or access that could effectively harm your business.
Oh, and as a VPN company, we’d also recommend you get a VPN, probably our VPN, and make your employees use it all the time 🙂