This article is about #Cybersecurity’s weakest link, the human interface. I am working with a co-founder of the cyberconIQ. Interested? Contact John at firstname.lastname@example.org and learn how your company can improve the human interface to prevent hacking!
Vulnerability in Networks.
What is going to be the most important vulnerability going forward? The human element.
I hear about the security flaws of wireless and specifically 5G. I wonder how many people can actually hack into a 4G and 5G network? The thing is, I don’t hear about those networks getting hacked too often.
I assume it’s because there is nothing valuable there. You could hack into a mobile network and what would you gain? Nothing that would help you make any money. Seriously, the only groups that want to know what’s going on over a wireless network are governments. Not just the US apparently, but anyone who thinks they could hear something valuable.
Here is an update, a hacker doesn’t have time to listen to hours of conversations. What good is that to hackers? You can’t spend it and even if you got lucky and heard something, then you have to blackmail or sell it to a specific party. Too much work!
Wouldn’t it be easier to get a lot of financial information at one time? Social security numbers and credit card numbers are very easy to sell anywhere on the web.
You see, hackers aren’t lazy, they are focused and smart. They are not like government hackers that have analysts that sit around to listen to hours of conversations trying to anticipate the next terrorist attack.
Update: Hackers don’t care!
They are interested in making money! Just ask any company that was hacked, what did they steal? Social security and credit card numbers. Maybe bank account numbers.
Numbers and passwords are valuable! They can be sold or used in hacking future networks.
The new hacker uses the human to gain access to the network. They use tactics other than breaking into routers and servers all the time. They look for weaknesses in the human interfaces. I mean it’s so easy when someone in Pakistan and India can set up a call center to call people endlessly.
When did hacking become a business?
Remember the IRS scandal? When did people try to pay taxes with Apple Pay cards? It was so profitable that call centers were set up in India and Pakistan. Those governments not only allow it but like to add jobs. Don’t think that’s what’s going on?
Here is proof from David Hooper’s RED podcast: He scammed them first, then he actually spoke to some of the people who worked there. There are teams of people trying to convince you to make bad choices!
Oh, by the way, do you know what the US government did about this. Nothing as far as anyone can tell.
Don’t you think that the biggest part of #cybersecurity a bad choice? Not on the hacker’s part, but on your part.
You know that it is!
What cybersecurity threats are out there?
There are many threats out there. Starting in your email, a simple email could lead to a major security hack on your company or on you personally.
Look at what hackers have come up with to get into companies:
- Spear and General Phishing
- Targeted Social Engineering
- Deep fakes
- Affiliation manipulation
- Spoofing and hijacking
- Malware attacks
- Bait & Click
- SQL Injections
- Embedded trojans and worms
Then you have the real psychological threats that could hit even more people in even worse ways. These attacks are generally personal and targeted.
- IP Theft
- Corruption and fraud
What do they really want?
Now, if you hack into someone’s mobile device, maybe you would get their financial information but again, that is one person and has little value to most people.
That is why stores and credit card databases get hacked. They are the big payoffs for hacking larger databases. So many users are all stored in one place and so easy to access.
The thing is, when they get the information, they understand that it’s not valuable right away. The thinking is that they will hold onto it for about a year and then see who didn’t make any password or username changes.
Hackers are really smart. They also have a lot of time to do any of this. Put that together and then you realize they can be dangerous.
Here’s the thing, while we see it as a risk to do this, they do not. They have ways of masking what they do and becoming invisible in less time than it takes to click your keys.
I was listening to a cybersecurity conference call, and the one thing that someone said is, “Risk is not an emotion”. This probably doesn’t mean much, but the risk is a key element to the decisions we make.
The emotions involved are fear, insecurity, and anger.
Have you ever heard someone say they are “risk-averse” or they “avoid risk”? What does that even mean? Do they cross any streets or drive in cars? Everything can be a risk.
Here is what I am learning, the biggest risks are not on the network from hackers endlessly hacking into a router or server. They do that, but technology helps them overcome the risks.
The real risk is people. Not the hackers, but the people that work at the business, government, or could be on any computer.
Did it ever happen to you?
- Should I click that link or not? It all starts here! Then they added language to this simple action.
- Should I see that the creditor is complaining about it? It looked so real!
- Should I update my credit card account? You’ve seen these from what looked like a real company.
- Was my Facebook or LinkedIn account hacked? For real?
- Do I want to see (Female star’s name here) naked? We’ve seen all the names, mostly Brad Pitt’s ex-wives like Jennifer Anniston and Anjelina Jolie. I mean honestly, if you didn’t know better, of course, you would click.
- Should I click on this DocuSign document to get into my company’s SharePoint to sign this document? It’s so convincing and I work with that person, how can it not be true? Yet, another scam!
At the time, it seemed harmless, but then reality sets in and you realize how much you are exposing yourself, your money, your career, and your company.
Yes, bad choices can break us in life and in cybersecurity. The thing is, in today’s world, IT gurus are always updating hardware and virus protection.
The thing they can’t do effectively is update humans. They can try to train them, but each human has a somewhat unique operations system. Some may understand the training while others don’t. Some care and others don’t. Some will take it and others won’t.
Sure, we train humans to do better, especially when we’re alert. Then, after working super long hours, or coming in early because the company wanted us to, we have a moment of weakness! Then, at that moment we make bad choices or we’re careless. Haven’t we all made bad choices? I know that I have.
Don’t deny it, you made them too! It’s not just when we’re out drinking in a bar or trying to pass by the bakery without buying something that smells so good. We may have a moment of weakness, poor judgment, or justify that this choice is OK right now.
I made way too many to count.
What if the biggest part of cybersecurity could be thwarted with a simple app that points out people who make bad choices?
What if an app could tell us how to gear our training for each specific group of people to help them make better choices?
That would be worth a lot, wouldn’t it?
Email email@example.com to learn how you can get this amazing app to stop hackers before they get past the weakest link!
It’s happened to all of us, right?
You know what I am talking about. You got the emails. Phishing, Smishing, or any information you may get could be a potential hacker asking you for information.
While you may think you will never get sucked in, you should know better.
Let me tell you what happened to me. I was working with a team, believe it or not, it was an IT group working for a large financial firm. We were working through documentation when suddenly, I got an email asking me to sign in and get a document on the Microsoft SharePoint website, which they had.
Guess what, it was a hacker and it was because someone had dropped some type of phishing bomb on his laptop and it just so happened to come out when I was looking for documents from him.
Suddenly, I have to change my login and password for all of his stuff. It’s true. Sometimes hackers get lucky and it happens at the time you’re in a project.
Bastards! They got me and I had to change all my passwords that day.
It’s such an inconvenience, but luckily I found out right away. If I would have assumed the link was broken, then what? I would have waited an hour or so to try again.
It was an honest mistake, but it could have been a disaster! What would I have done if they started hacking into everything within minutes?
The thing is, most of us rely on Microsoft, which can be frustrating most of the time. So we wait to try things again, but that time waiting could be enough time for someone to hack you. Luckily, most hackers are pretty patient and have better things to do than try to hack into my network in real-time.
My point is that the human is the weakest link in the chain. Most of us don’t do it on purpose. Some of us are more gullible than others but sometimes hackers get lucky. They find a way to get in and they try to match up where you work with the tools you have and make it become an easy mistake.
Cyber awareness is a thing that can help us identify potential problems before they arise. Companies are trying to find out how vulnerable they are by sending out phishing emails generated by a contractor. It’s interesting that they would send it out to identify potential risks. However, what good does it do? It educates people.
However, as I said, hackers are smart. They work hard to overcome the obvious when hacking a professional company. It’s not like some guy in some country you never heard of is asking you for help.
When you get those emails, most of us know it’s a scam. They prey on the ones who don’t. That’s why the spelling errors are intentional. They know that if you understand it then you know it’s a scam.
One of the best outlines of this scam was done by James Veitch who brilliantly put together a complete conversation with those scammers. Take a look at his YouTube Ted Talk, found at https://youtu.be/_QdPW8JrYzQ who turned the tables. It’s a great portrayal of how he could waste their time instead.
Back on track, cybersecurity primary weakness is me and you. It’s all about us being human and our weaknesses. We don’t do stupid things intentionally, sometimes we don’t know better or we’re in a hurry or we just get confused. It happens.
Hacking today requires more than technology. Today, psychology is a huge factor. While we all learn, like filtering out spam emails or looking at an email from Winnie Mandella asking you to transfer $45 million dollars and offer to give you 10%. I think we all know that’s a scam.
However, when we get an email that matches everything we are currently doing and asks us to log into a SharePoint site using our company log on information, then we have an issue.
- They have our email address, how did they get that?
- They asked us to go into a familiar site we may use often at work. How do they know that?
- They send us to a dummy site where we enter our username and password because we think it’s a site inside of our company. Now they logged all your keystrokes.
- What’s next? Even if you change your password right away, what if they have access to your email? They could change it again in the future.
- What do you do? Change all your passwords, network, website, email, anyway you can.
It is tough to stay on top of what these yahoos are doing. They are really smart, determined, and found a way to automate all of this crap.
While you and I struggle to remember our passwords and usernames, they automate it much like Google does for you in your Chrome browser.
The real threat today is you!
Let’s face it, technology is making security better every day. There are still ways for hackers to get in a find new access, but the weakest link is you! That’s right, silly humans. The human factor is one of the biggest vulnerabilities in any network.
You will hear people say that they take no chances or avoid all risks. How much of that can be said for every employee in the company?
Do you know if all your people paid attention to the training? Did they really understand it? Do they honestly think that they are the risk?
Sometimes companies pay people to send internal phishing and spam so that they can determine the level of risk. This is one way to make sure that you have breaches but let’s face it, many of those messages look like spam.
It’s when the spam looks just like an internal email. Not about paying a bill or getting a fee for opening an account in the US for some prince in Zimbabwe.
When you get a relevant email that has the internal company information and perhaps even a familiar link inside, it’s hard to pick those apart.
Hackers are smart. They find ways to get this information. They work all day to perfect the emails so that we get fooled. They are getting better and better at this.
What can be done? How do you save yourself from yourself?
Most companies now are becoming proactive. There is a cybersecurity solution that starts with an app. A team I know put together a solution to ask employees prior to hiring them who will be the most vulnerable.
It all starts when you hire someone upfront. If you could have them do a simple online quiz that would show you how risk-averse they are it would help. This questionnaire may be able to put some psychological profiles together with simple questioning to build an understanding of where they stand.
Then, once you understand how vulnerable that person could be to a cyber attack then you may be able to make better hiring decisions.
The team at CyberConIQ came up with a way to test people around their level of risk-taking. A way for you to evaluate how vulnerable someone is prior to hiring them.
This is not a catch-all end all but it will help you make decisions on hiring, security training, and how to target your messages to your teams.
This is going to revolutionize the cybersecurity industry by adding the psychology of cyberattacks to the hiring process.
Now you know who may be more vulnerable, but more importantly how to train your workers to be less vulnerable. The idea is to understand your workforce and train them appropriately.
Getting the message out to your teams in a way they will understand and accept is the key goal for any security team.
I am pretty sure you can’t just say, “don’t be stupid”. That is not a strategy and has little value in training and morale.
You need to understand how your team is vulnerable. Then train them appropriately.
Here are some helpful links.
#Cybersecurity is a process in which we can all make a contribution.
I don’t want to be the weakest link, do you?
Contact John at firstname.lastname@example.org and learn how your company could stop hackers from getting past the weakest link! The human element!