To Do: Morning jaywalk. Post-lunch swim. After-dinner espresso. Face it, humans are fallible. We do things every day—and sometimes all day—that we know we “shouldn’t” do.
Most people know that they should have strong passwords, that those passwords shouldn’t be reused, that they should be suspect of emails that contain unexpected attachments and that they must be careful when using public WiFi. But time after time, humans prove that they don’t always adhere to best practices. This makes the weakest link when it comes to cybersecurity—us. Criminals routinely seek to exploit individuals rather than systems because they understand just how effective social engineering techniques are on busy, distracted people who might not have cybersecurity at the front of their minds.
It is incredibly easy, and cheap, for bad actors to send out an email that contains a file with embedded malware or that gets you to reset your password on a look-alike fake website to phish for credentials. Once these criminals have gotten you to install the malware or have your credentials, they can wreak havoc on your network. Holding data ransom in exchange for cash or bitcoin, sift through documents for trade secrets or expose sensitive emails and internal discussion to create bad press for your organization. This method is so effective, that 91 percent of cyber-attacks start with a phishing email.
While it would be impossible to entirely eliminate the risk posed by human factors, there are ways for organizations to substantially decrease their risks. Some technologists preach eternal vigilance and that users should consider every website and email suspect. Unfortunately, this is not realistic in the real world, and we know people will slip up. So what does work?