This May, the world got a wake-up call about the speed and disruption that can result from a concerted cyber attack on our computer infrastructure. At the time of writing, the exact origin and method of attack behind the global WannaCry ransomware attack was still unclear, although a mixture of phishing attacks, NSA cyber weapons and outdated operating systems were favored vectors.
The effects of being unable to access data and perform IT operations were clearer to see – canceled surgeries in the UK, chalkboard travel signs in Germany and halted car production in France. All from what has been pretty much dismissed as a “low-level” attack – worrying times!
If you’re hastily looking up the words “phishing” and “ransomware,” that is a clue as to how these things happen. We – the American public – simply don’t know enough about the ins and outs of internet security. And same applies in Europe and the rest of the world given the spread of WannaCry to more than 150 countries.
Before we can move toward fixing that knowledge gap, we need to get a grip on the stats. The Pew Research Center did just that for its survey released in March, What the Public Knows About Cybersecurity. Here is what Pew found:
The Problem: What We Don’t Know
The good news is that we are not totally clueless when it comes to cybersecurity. For example, Pew found that most of us can recognize a secure password when presented with a list. Also, few of us would log in to a public WiFi network and then access our bank accounts.
After that, things start to get a little shaky. For example, when shown a series of screen grabs which included a CAPTCHA code and prompt for security question responses, only 10 percent of participants correctly identified an authentication protocol. Perhaps more surprising – to industry insiders at least – was that only a third of respondents knew that the https:// header on a URL indicated that information entered is encrypted.
Other blind areas in the American cyber psyche included how our data is tracked. Only 39 percent of us knew that our internet service providers (ISPs) can see our search history even when we are browsing privately. Fifty-two percent of respondents understood that turning off their cellphone GPS settings did not protect them from having their locations mapped, but over a quarter didn’t have a clue while 22 percent thought that information was plain wrong.
Even the term ransomware only made sense to less than half of those questioned – although we suspect that percentage may be a touch higher now due to the publicity surrounding WannaCry.
The Solution: Shining a Light
If the message about cybersecurity is not getting through, rather than shout louder, perhaps it’s time we changed the message. It’s interesting to note that many of the questions that participants were unsure about contained tech jargon. For example, 73 percent didn’t know what a botnet was and 70 percent didn’t know that a virtual private network (VPN) offered some protection when using insecure Wi-Fi. Faced with unfamiliar and poorly explained terms in their training literature, it is little wonder that company employees sometimes switch off and let important security advice sail over their heads.
The fact is that we don’t really need to know what encryption is or what
URL stands for to know it is safer to browse an https:// site than one starting with http://. In fact, this is one area where we probably know more than we think. If the statement in the Pew survey had been rephrased: “https:// and a padlock symbol in a web address means a safer site,” perhaps many more people would have agreed. We relate to padlocks and “s for security/safety” much more easily than multi-syllabic, techy words like encryption and abbreviations such as URL.
The cybersecurity industry can help itself here. In addition to providing dynamic, engaging training materials, companies providing IT consulting and IT support services to businesses can dial down on the detail when it comes to teaching good practice. By focusing on simple language and commonplace ideas, clients will be more likely to take ownership of their own security.
As things stand, when faced with their own lack of expertise, business owners are often happy to throw money at the experts to ease their fears. They may nod when you warn them about avoiding phishing, patching exploits and setting up strong authentication, but if they don’t know what you’re talking about, they aren’t going to do it. But when a cyber attack does happen, bang goes the client, and your reputation can suffer as a consequence. Everybody loses.
Faced with a public that is unclear about many cybersecurity issues and a highly knowledgeable industry, perhaps the best way forward is to meet in the middle. By making cybersecurity information more accessible to the non-technical population while encouraging everybody to take responsibility for arming themselves with basic knowledge, we may limit the damage of the next global cyber attack. Threats can never be completely eliminated, but every secure device halts the spread of malware and saves individual businesses and the economy as a whole.
Of course, knowledge isn’t all we need to keep safe online. We also need to turn that knowledge into action. Our ideas about risk and reward will also play a part. We may be totally aware of what makes up a decent password, but if we don’t think there is much of a threat we will probably run the risk of choosing a simple password. It’s simply more convenient than working out how to set up a password manager or finding a secure way to note down a random string of letters, numbers and symbols.
Hopefully, one benefit of WannaCry is that it might have taught us that some risks are just not worth taking.
About the Author
Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides specialist advice and IT services Los Angeles-area businesses need to remain competitive and productive, while being sensitive to limited IT budgets. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters and Yahoo Business. DCGLA.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. You can follow him on Twitter at @DCGCloud.