The Desire to Help and Security

As human beings, we are programmed with a desire to help others in need, but this is one of the reasons that hackers are so successful in infiltrating our networks.

This week the Black Hat Conference takes place, followed by DefCon (in its 25th year); both cover the security landscape and feature plenty of insights into cyberattacks and ways of preventing them. The keynote at DefCon this year is focused on “Making Security Work for Everyone” and features Alex Stamos the chief security officer for Facebook. Last year I was lucky to be in the room during the Social Engineering Capture the Flag (SECTF) competition at DefCon 24, when the winning participant was on stage.

Each year SECTF participants compete to extract information from a list of target companies over the phone simply by using clever subterfuge and social engineering skills. It was an eye-opening experience to witness the ease with which a complete stranger was able to create a trusting relationship with an employee in the target company and obtain a large amount of information (you can read the details of the competition, targeted companies, and the information contestants were asked to gather online here). 

This approach, leveraging social engineering, is not the end game for cyberattacks, but it is increasing in use and even being automated. The use of artificial (or augmented) intelligence (AI) is being explored in many fields, and hacking is no exception. Security companies are using AI to help automate protection, but there is no reason hackers won’t use the same approach to increase the number and sophistication of their attacks.

Security is Everyone’s Responsibility

The intent of the aforementioned competition is to expose risks and educate individuals and employees about them. Investing in education regarding company security fulfills a corporate goal but is a bit like offering health insurance to employees: it gives them value as well. Not only are they better-equipped to protect the corporate assets and information, but they are better positioned to protect their own personal assets and finances.

We don’t hear too much in the news regarding the “Nigerian 419 Scam” – but that’s not because it isn’t impacting people. As this chart shows, the scam resulted in the collection of $12.7 billion in 2013 alone.

We remain under constant attack, with variations of these approaches and other methods like phishing, vishing, and smishing (email-targeted attack, voice-targeted attack, and SMS-targeted attacks, respectively). Security needs to be everyone’s responsibility and has to come from the very top of the organization. It’s the same for any family. In my household, I invest a lot of time explaining these attack vectors and sharing stories of individual and corporate failures and losses that came as a result of poor security. I never miss an opportunity to use examples from all around me to illustrate why security matters and what you can do to achieve it.

The same should be true in any corporate environment: security needs to come from the board and CEO down. It can’t be an edict that applies just to employees while senior leadership is either ignoring or even bypassing the recommendations and training. Companies that have clear security guidelines and equip their employees to deal with potential attacks perform better and have lower risks of being breached. 

Incremental Improvements for Employees in Managing Security

The recent WannCry ransomware outbreak that was closely followed by the Petya outbreak that swept around the world and crippled many companies and services offered a window into future potential challenges and raised awareness regarding security. Here are my suggestions for incremental improvements:

• Make security a top-down primary focus for your organization.
• Offer training to your employees on security attacks and mitigation.
• Train and encourage everyone to question information requests so they can make good decisions.
• Make learning about security fun and practical.
• Help everyone understand the value of information in the context of security.
• Consider developing simple security protocols that are easy to learn and follow.
• Test your security.

Do you have any other suggestions? What small change have you seen that makes a big difference when it comes to improving security in your organization, and in healthcare in general? What one thing could we do that would have a big impact in this area?

Please don’t hesitate to contact me with suggestions.