Tips on cyber protection from your own employees, part 2

Only two weeks ago I wrote on cyber protection from human curiosity (or naïveté), see link. Since then we had a security breach at authorisation token vendor RSA and the breach at mass-mailer Epsilon. The first was not a “sophisticated” attack as was published, but an employee clicking on an Excel attachment in an e-mail sent to employees of RSA under a title like “reorganisation information”. One click was enough to download malicious code into the system of RSA and expose all security measures, to…? Yes, to whom? We do not know, nor what this person or persons will do with the acquired knowledge. The second apparently was a case of unsophisticated levels of security, despite warnings to such. Leaving millions of people’s email addresses, bank and other data in the open. The first phishing attack has been reported.

I dare to conclude here that now spam filters are becoming more sophisticated, criminals exploit the next available vulnerability.

Heightened awareness, more publicity
Fact is that of late security breaches have the interest of governments, with press not staying behind. Is this because governments are showing heightened activity such as national cyber securities? (Let’s leave the argument whether national and cyber security are two combinable concepts lie for now.) Or are more people simply becoming aware of the vulnerabilities that they are confronted with and start to report on them? That we started using an open, generative system that was not meant to bank on, run critical infrastructure on, do maintenance from home on, etc. and are finally owning up to the consequences of this choice?

But are we really? Where is the man in the street in this picture? Is he overly concerned what is happening on the Internet? It does not look like it. At least, e.g. I don’t see long cues at the last bank office in town with people demanding desks to reopen so they can get their money like we used to up till the late eighties. So how come trust in Internet should go down, but actually isn’t? Sorry, I’m not going to answer that, but apparently most people are or feel safe and not under threat.

The human factor
Still, no matter how much money governments, industry and end users pay for security, if security is possible on the Internet as it is, that is, it’s the human factor that really constitutes the greatest risk. Yesterday one of my girlfriend’s sons was watching a You Tube clip with a bunch of friends. Yes, it was extremely funny. “Don’t click here” a flashy button said in the top left corner the whole time the clip played. The first thing he said after the clip finished was: “I’m going to click here” and in the blink of an eye he was at a subscription site of something or other. Luckily he was wise enough not to proceed. The employee of RSA however was not. (S)he jeopardized the whole reputation of this firm with one mouse click. And if someone working there does not have the sense to check on what he or she is clinking on, how can my girlfriend’s son?

Imagining the un-understandable
Perhaps the biggest problem is, that people can not imagine that something which brings them pleasure, ease of use and leisure, is also the biggest threat to their on line and economic safety. That the Internet poses dangers that we can not see, can’t sense, feel, hear, but are very real nonetheless. Making people aware of this is one of the major challenges the world faces. The government campaigns do not seem to do the trick efficiently. People do not seem to overly care either. Is a feeling of an on line, Internet based, community responsibility possible? And where to start? It may be with a targeted training to people working in the most vulnerable places and trickle down from there. A choice must be faced to. Do you go for rules and regulation or do you want to educate people to a level of awareness that raises an on line self-regulatory constraint with them?

The start
How long do you want to wait with acting before you find out the hard way?

Here’s another link on the topic.

Wout de Natris, De Natris Consult

Haarlem, 10 April 2011


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber crime, Cyber education, Cyber espionage, Cyber ethics, Cyber security, Self regulation, spam and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s