If we were at war, we would have to bring our defenses to DEFCON 1 because cyber attacks have drastically increased, and we have to defend ourselves. For many years now, intending to increase the computer networks’ defenses, we’ve concentrated our efforts on equipment and software that had the sole purpose of defending the infrastructures from attacks coming from outside the company and from the users themselves.

We have always considered the user the first company’s attacker, the person to defend against, control, monitor, and limit. The numbers supported this view: statistics confirm that most cyber attacks come from errors and wild clicks from our users. Therefore, it is natural that companies felt the need to protect themselves from users, also because the perimeter and infrastructure defense systems had already reached very high levels of security, even though human error remained a risk. Suffice it to know that a non-optimal configuration is enough to open security holes even when there are no software or equipment vulnerabilities.

Here, we go back to human error.

We need more awareness and new procedures that can help us decrease or eliminate the risk of human error (today, we have DevSecOps, Awareness, etc.). Italy, and SMEs in particular, is still immature for these topics. However, they are slowly catching on. The most important thing is to give a paradigm shift:

Objective: make the user the first company’s defender, not the attacker.

Let’s give them the Know How to discriminate between safe and unsafe behavior: this will increase the level of safety exponentially.

Raising greater awareness of IT risks is a plus for the company, but it must increasingly become a lifestyle even within one’s home. Technology is no longer linked to the office; it is increasingly entering our homes and lives, undermining our privacy and our loved ones’ safety. After all, the numbers speak for themselves. The rise of smart home devices is indisputable, and we are increasingly connecting our private life to the world, thus exposing ourselves to possible attacks. The attack surface for cybercrime has increased dramatically in recent years. Also, we must consider that we hardly enjoy at home the same technological protections we enjoy in the office. The Covid quarantine, with remote or smart working, has highlighted this gap. The damages have been harsh and permanent for many companies that have seen themselves attacked by malware and ransomware coming from their employees’ “BYOD” PCs.

Privacy and Social Engineering

Therefore, we have a moral and ethical obligation to become more aware of the risks to our privacy, our family, and our work: this way, we can face the 3rd world war we’ve been fighting for some years. We are all called to arms; ignorance and risk unawareness is no longer justified. Today, three generations use technology: on social media, we find grandparents, parents, and children. Each of these generations has different knowledge and learning methods. For this reason, we insiders need to help the technological population have greater awareness and knowledge. Cybercriminals rely on psychological mechanisms to trick the user into falling into their traps, installing malware or RATs, stealing credentials, or taking possession of personal information or data. The enemy is lurking, invisible, clever, with economic and time resources.

There is no shortage of best practices, and by now, we all know them:

• Check our devices’ security
• Check the connections we use
• Use complex and different passwords or MFA
• Do not disclose passwords to anyone
• Be careful with the emails and attachments we open
• Don’t collect apparently lost USB drive

The basic rules are well known but are often not adopted due to laziness or negligence. I occasionally think of my parents’ recommendations when I was a teenager:

• Don’t trust strangers
• Don’t accept food or candy from strangers
• Be careful where you step, where you go and what you do

These “old” recommendations can also be useful today in the IT context. The problem is that even if we know them, we don’t always put them into practice; The expression ‘curiosity killed the cat’ corresponds to the Italian ‘tanto va la gatta al lardo che ci lascia lo zampino’ but the meaning is the same and is as topical as never before; Cyber Crime has been exploiting people’s curiosity for years by using: emails from an authoritative sender, the news of the moment, attachments, the USB drive on the floor, etc. All these techniques leverage our curiosity and impulsivity.

In conclusion:

Let’s protect our privacy by sharing less and less because anything can be used against us: a hobby can become our password. PHISHING and SOCIAL ENGINEERING have become a vector, if not THE vectors, most used by attackers (+81.9% Clusit 2020 report). These techniques exploit human weaknesses such as curiosity and impulsivity; the attacks have become increasingly psychological (see Covid-19). What to do? We need to make our minds and awareness safer, and the only way is: “THINK BEFORE CLICK”.

Article by Sandro Sana