Before decrying the latest cyberbreach, consider your own cyberhygiene

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://theconversation.com/before-decrying-the-latest-cyberbreach-consider-your-own-cyberhygiene-37834

The theft of 80 million customer records from health insurance company
Anthem earlier this month would be more shocking if it were not part of a
larger trend. In 2013, the Department of Defense and some US states were
receiving 10–20 million cyberattacks per day. By 2014, there was a 27%
increase in successful attacks, culminating with the infamous hack of Sony
Pictures.

Much of the media focus is on the losses rather than the process by which
such breaches take place. Consequently, instead of talking about how we
could stop the next attack, people and policymakers are discussing punitive
actions. But not enough attention is given to the actions of individual end
users in these cyberattacks.

We are the unintentional insiders

Many of these hacking attacks employ simple phishing schemes, such as an
e-card on Valentine’s Day or a notice from the IRS about your tax refund.
They look innocuous but when clicked, they open virtual back doors into our
organizations.

It is you and I who click on these links and become the “unintentional
insiders” giving the hackers access and helping spread the infection. Such
attacks are hard to detect using existing anti-virus programs that, like
vaccines, are good at protecting systems from known external threats — not
threats from within.

Clearly, this virtual battle cannot be won using software alone. In the
same way personal hygiene stymies the spread of infectious disease, fixing
this cyber quandary will require all of us to develop better cyberhygiene.
We need to begin by considering the cyberbehaviors that lead to breaches.

My research on phishing points to three. Firstly, most of us pay limited
attention to email content, focusing instead on quick clues that help
expedite judgment. A picture of an inexpensive heart-shaped valentine gift
gets attention, oftentimes at the cost of looking at the sender’s email
address.

This is coupled by our ritualized media habits that our always-on and
accessible smartphones and tablets enable. Many of us check emails
throughout the day whenever an opportunity or notification arises, even
when we know it is dangerous to do so, such as while driving. Such habitual
usage significantly increases the likelihood of someone opening an email as
matter of routine.

And finally, many of us just aren’t knowledgeable about online risks. We
tend to hold what I call “cyber risk beliefs” about the security of an
operating system, the safety of a program, or the vulnerability of an
online action, most of which are flawed.

Cleaning up our cyberhygiene act

Developing cyberhygiene requires all of us — netizens, educators, local
government, and federal policymakers — to actively engage in creating it.

To begin, we must focus on educating everyone about the risks of online
actions. Most children don’t learn about cybersafety until they reach high
school; many until college. More troublingly, some learn through risky
trials or the reports of someone else’s errors.

In an age where online data remain on servers perpetually, the consequences
of a privacy breach could haunt a victim forever. Expanding federal
programs such as the National Initiative for Cybersecurity Education, which
presently aims to inspire students to pursue cybersecurity careers, could
help achieve universal cybersecurity education.

Second, we must train people to become better at detecting online fraud. At
the very least, all of us must be made aware of online security protocols,
safe browsing practices, secure password creation and storage, and on
procedures for sequestering or reporting suspicious activity. Flawed
cyber-risk beliefs must be replaced with objective knowledge through
training.

Although some training programs address these issues, most target
businesses that can pay for training. Left out are households and other
vulnerable groups, which, given the recent “bring your own device to work”
(BYOD) trend, increases the chances that a compromised personal device
brings a virus into the workplace. Initiatives such as the Federal
Cybersecurity Training Events that presently offer free workshops to IT
professionals are steps in this direction, but the emphasis must move
beyond training specialists to training the average netizen.

Finally, we must centralize the reporting of cyber breaches. The
President’s proposed Personal Data Notification and Protection Act would
make it mandatory for companies to report data breaches within 30 days. But
it still doesn’t address who within the vast network of enforcement
agencies is responsible for resolution. Having a single clearing house that
centralizes and tracks breaches, just like the Centers for Disease Control
and Prevention tracks disease outbreaks across the nation, would make
remediation and resource allocation easier.

Across the Atlantic, the City of London Police created a system called
Action Fraud, which serves as a single site for reporting all types of
cyberattacks, along with a specialized team called FALCON to quickly
respond to and even address impending cyberattacks. Our city and state
police forces could do likewise by channeling some resource away from
fighting offline crime. After all, real world crime is at a historically
low rate while cybercrimes have grown exponentially.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!