Knowing that I’m a professor of IT who teaches Cyber Security, one of the questions I am repeatedly asked (usually, it’s more of a statement than a question) is: “it’s just impossible to stop ‘them’ (substitute criminals, China, N Korea, etc. for “them”) from hacking.” Those who ask this (or perhaps, state it to me) just throw up their arms as if it’s a foregone conclusion. But I posit that it’s NOT. To quote the cartoon character Pogo (paraphrased from US Navy Commodore Oliver Hazard Perry in the War of 1812), “we have met the enemy, and he is us.” That’s right, you just cannot remove people from the system. And consequently, you just cannot remove the lunk-headed, misguided, or just plain ignorant (accidental) things that people do from a computer system. When people click on links in spear-phishing e-mails, they’re compromising their entire network, because that link may drop malware onto their networked desktop.
In the opinion section of today’s CNN, in the article “Why the Cyberattacks Keep Coming,” Associate Professor Arun Vishwanath of the State University of New York at Buffalo makes that very claim – that we are the insiders who unintentionally, and accidentally, hand over the keys of the network to the bad guys. He gives two good reasons why insiders (employees) accidentally give over the keys to the kingdom to hackers. The second is something that I teach my students here at ASU over and over again, and I’ve made mention of this in several presentations and TV interviews:
The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.
I often teach that users need to “mouse over” a link in an e-mail to see where it’s actually going before clicking on it. Once you see that the e-mail came from some source other than where you thought it was coming from, you’ll know enough not to click on that link, and to delete the e-mail. He makes that point – that we need to train users how to spot a fraudulent e-mail. I use the Sonicwall e-mail test in my classes (and presentations) to show people how to spot one.
We’ve all just become so used to technology that we expect anti-virus software, firewalls, etc., to do the job for us, when, in fact, we need to become more tech-savvy and do the job for ourselves. Since so many attacks are caused by hackers looking for information that we have provided them, we all need to be trained to reject their advances and ensure that we don’t make their job easier by falling prey to their lures.