October is National Cyber Security Awareness Month, and it's all too easy to dwell on the hacks and attacks that make headlines every day. It sometimes seems as though every month recently has been Cyber Security Awareness Month. Data breaches and a distinct sense of "cyber insecurity" pervade the news and our digital lives. Victims of cyber attacks range from the largest corporations and government agencies right down to friends and family members whose personal data has been exposed.
Instead of focusing on victims and attacks, though, let’s kick off National Cyber Security Awareness Month by turning that on its head. How do we keep from being victims of the latest and greatest attack? How do we shift the conversation from one that is reactive (contact customers, provide credit monitoring, cancel our credit cards, etc.) to one that is focused on prevention and empowerment?
Obviously, as consumers we can’t protect ourselves from every threat faced by the organizations we entrust with our precious data. Neither can businesses universally and flawlessly protect themselves (or our data). In a world that feels increasingly insecure and in which our digital selves feel increasingly vulnerable, it isn’t easy to talk about empowerment.
Education, however, is the key to empowerment. For organizations, it’s the right combination of hardware, software, and, again, education. Earlier this week, I made the case that savvy, well-educated users are critical to security strategy for businesses of all sizes. And for consumers, stopping and thinking before we blithely click about the web can mean the difference between being a victim and being an empowered digital citizen.
Unfortunately, many people, no matter what their age or generation, simply aren’t aware of the sheer size of their digital footprints or how easy it is to expose data to the unsavory folks just waiting for the right opportunity to nab login credentials, identifying information, location information, and other digital breadcrumbs.
When we live in a world that is digital first, we tend to take for granted the ways in which we share and interact. But an open Facebook profile (or a family member inclined to overshare on Instagram) gives attackers an incredible amount of information to craft a legitimate looking phishing email, for example. If an email looks authentic and reasonable, referencing information that you wouldn’t expect someone outside of your circles to know, why not click through and offer up whatever login information is requested?
Just this morning, I received a text message thanking me for my loyalty to my wireless provider and offering to upgrade my phone for free. I was immediately skeptical since I had just transferred my last available upgrade to one of my kids (because that’s the kind of dad I am). The link in the email led me to a reasonable facsimile of the login page for my wireless provider. How many people do you know who would have eagerly logged in, happy to snag a new iPhone, only to have their login credentials stolen by a malicious website? Probably quite a few.
Not becoming a victim doesn’t require suspicion and paranoia. It does require two things, though:
The skepticism makes sense, although the more sophisticated attackers become, creating very well-crafted (albeit fake) websites and deeply personalized phishing emails, the easier it is for even savvy web surfers to set aside their skepticism.
Situational awareness, though, is harder to cultivate but is what tells us to be skeptical when it’s warranted. Among security professionals, situational awareness refers to a broad understanding of the threats in the wild and how it can impact business systems. On a more personal level, it means knowing that you don’t really have any upgrades left and that your wireless provider really isn’t that nice. It’s about knowing what your banking portal really looks like and being aware of emails, texts, or IMs that seem out of character or just a little bit unexpected.
Spiderman is always worth quoting here: “With great power comes great responsibility.” We have extraordinary amounts of power at our fingertips – knowledge, convenience, connections, communication, entertainment. Being a good digital citizen rather than an unwitting victim means taking responsibility and being aware of our digital environments.