Training programs and phishing “tests” are a regular part of the office landscape for employees today, and yet the human factor still remains the weakest link in cybersecurity for most organizations. Why is that and what can we – since all of us play a role – do?
Let’s tackle why humans are the weakest link first. Humans – at least the vast majority of them anyway – are trusting creatures of habit. We naturally tend to look for the best in others and believe what we read and hear. We also assume others won’t lie and cheat, and we find comfort in things that are familiar. Unless we are given a reason to distrust someone or something disrupts a routine, for the most part, we happily go about our business at work and home.
It’s easy to become complacent. We work hard and juggle our work with life’s other responsibilities, trying to have it all. Because of that, we’re tired. Some of us tend to get bored easily. The bottom line is that with all that we do, it’s quite easy to become distracted or to consider cybersecurity training and also breaking news on the latest breach just background noise. If we haven’t been a victim of identity theft or suffered the embarrassment of being the person who unleashed a virus on the company network, we think no news is good news. In the end, we drop our guard and resort to thinking and believing we’re safe.
What can we do? We can and should attend organization sponsored and supported training programs, but also practice at work and home:
-
Slowing down – Taking the time to read through a message before reflexively clicking on an attachment can mean the difference between a productive afternoon and hours or days spent reloading a machine and restoring from backups. Nearly all of the ransomware infections I’ve encountered took place not because the end user didn’t know or at least suspect an attachment was infected, but because the user was in a hurry.
-
Asking questions – Ask a professional or in the case of an email, the sender, if you think a message, for example, isn’t legitimate. If you take the approach, as I do, that there are no dumb questions only unanswered ones, then asking someone if you should open an email isn’t going to offend anyone or anything, except possibly your pride. Last week, I received an invoice attached to an email from a business associate. Everything looked legitimate, except I wasn’t expecting an invoice and the invoice number in the name of the attachment did not match the invoice number referenced in the body of the email. A quick email confirmed my suspicion that the sender’s account had been compromised.
-
Remembering that if something is too good to be true, it probably is – Yes, there are many things that ARE free and also good, like open source and community edition software. But, the vast majority of “free” offers involve giving up something, like an email address and other contact information, or they are simply fraudulent. There’s a reason why free $100 gift cards and vacations, remote support because your PC is “infected”, and extra money because you are willing to accept a check and ship an item you have for sale on Craigslist are to be avoided. In these instances, too good to be true = next victim.