When we think of cybersecurity, we often imagine virtual code fortresses built to sustain massive databases of vital information. These walls stand to keep hackers away – faceless threat actors that seek out weak spots in security systems to compromise corporate and institutional resources.
So, without further ado, here’s the cybersec kicker: more than 99% of cyber attacks require humans to click. Currently, we have a huge problem on our hands in the cybersecurity world, and it’s called the human factor. To put it bluntly, we, the people, are the weakest points in organizational security infrastructure and personal privacy. Here’s why.
You cannot persuade code and software
Hacking is difficult and forceful.
If you’re trying to breach past the perimeter to get inside a big organization, you’re facing its entire security system and active staff behind the defenses. In other words, it’s experts against experts, and the battle can go either way.
While code, drivers, and software can have technical exploits, they have one advantage over humans – they lack emotion. You can inject malicious code into web pages or programs and change how they work, but you cannot intimidate or persuade a piece of software to give you access inside its database.
However, you can, in many ways, influence people. And so, instead of laying siege to fortresses and looking for exploits in technology, criminals often turn to social engineering.
In other words, most hackers do not waste resources banging their heads against virtual walls. They rely on humans inside the fortresses to provide necessary information that will help hackers bypass the front gates.
This approach of persuading or scaring people into giving their credentials away is called phishing. How popular is this particular method? According to Verizon, phishing was the cause of nearly 70% of data breaches in 2020.
Phishing is rampant because you can trust people to make mistakes
Compared to hacking, phishing is smooth and simple.
These days, hackers usually tailor phishing attacks to target individuals or employees from various organizations. Such attempts are called spear phishing (targets anyone) and whaling (targets executives), especially devastating phishing forms that cause 95% of successful attacks on business networks.
Hackers tailor spear-phishing attacks using people’s personal information. Often, they pretend to be people’s bosses (Business Email Compromise) or authoritative institutions to increase their likelihood of success.
Generally, such scams can seem legitimate and often seamlessly pass through anyone’s work routine, especially if you receive hundreds of emails a day.
In these cases, spear phishing works because it can induce the following emotions:
- Fear of authority.
- Sense of urgency.
- Looming consequences.
In short, the spear phishing formula is simple: we see, get scared, and click. And if we don’t follow up with any preventative measure, it’s often a one-way ticket to Hacktown from there. Read our article on phishing: what makes us take the bait?
The method is very effective, and to make the matter worse spear-phishing emails are becoming automated. While they may not be yet as effective as man-made ones, this still shows a clear sign of what direction cyberattacks are heading – away from hacking and towards social engineering.
Our lax view of personal information provides hackers with all the right tools
We often call third-party data companies evil without really looking at our own online habits. It is quite jarring how easily we are willing to open up our lives to potentially millions of people. I’m talking about social media, of course.
Nowadays, it’s completely normal to display your life online. However, people don’t seem to be aware of how useful that is for hackers.
Information we openly provide ranges from hobbies, likes, places we frequent, countries we’ve visited, and people we know. This data can be very easily used to create spear-phishing emails that appeal to people’s personal and professional interests.
Have you ever considered how easy it is to find answers to people’s security questions on Facebook?
- What’s your first car? Let’s check if you’ve posted a selfie next to your first car on your 18th birthday.
- What’s your mother’s maiden name? Maybe your grandparents are on Facebook?
- What is the name of your first pet? How many times have you posted pictures of your favorite animal?
And the list can go on.
Your internet privacy is ultimately in your hands
VPNs often talk about making you anonymous on the internet, which is not true. They are very useful privacy tools and can help you get closer to being untraceable when surfing, but there’s nothing that can make you truly anonymous on the web.
When you surf the internet, you leave digital footprints pretty much everywhere you go.
A VPN can keep your IP (Internet Protocol) address from being tracked by websites because it traces back to a VPN server instead of your device. It also makes your internet traffic invisible to your Internet Service Provider (ISP). All your ISP can see is that you’re using a VPN, but your actual data packets remain unseen.
However, everything else you do on the internet stays on the internet. If you’ve registered on a website using your real credentials, used an email address that contains both your first and last names, or purchased something with your credit card, you can be tracked.
Also, you have to be aware that by using certain services, you by default agree to share your activity with them. For example, if you’re using Google to search for information when logged in to your Google account, they see everything you do regardless if you’re using a VPN, Tor, or any other privacy tool.
At the end of the day, how you browse the internet and use social media is the most important part of your internet privacy.
Awareness and due diligence are the only antidotes to security breaches and privacy violations
So we are the weakest links in our cybersecurity and internet privacy, but let’s not start lashing ourselves over it. There are ways you can make your digital lives safer and your companies secure.
To protect yourself from phishing and social engineering
- Train awareness and educate yourself. Learning about phishing tactics and how hackers can use them against you are the best ways to protect yourself against phishing.
- For a workplace environment, a phishing course is a must, followed by due diligence training and simulated phishing attacks to keep employees alert.
- For personal well-being, reading posts online and learning how to identify phishing should prove enough. Awareness of social engineering will make you think twice before acting rashly if you ever get into a phishing situation.
- Use strong passwords. Don’t use weak passwords that are easy to guess, like “asd1234” or your name and birth date. Also, don’t use the same passwords in your personal and work setting. Better yet, get a password manager and lock it with a single strong password!
- Enable multi-factor authentication (MFA). MFA is a good second line of defense if your password fails. It’s a great way to ensure that a cybercriminal cannot get into your accounts just using your credentials alone.
- Don’t click on suspicious emails or links. These types of emails commonly come with urgent or scary headlines and have malicious URLs inside of them. You can learn how to spot these things with little know-how. We have articles on how to identify phishing emails and phishing URLs on our blog
To protect your online privacy
- Don’t use dubious apps and free services. If you’re using a free service, they’re likely getting their money elsewhere. Usually through your data!
- Manage the privacy settings of your apps. The less information your apps collect, the less of it will end up on the dark web after one of the thousands of data breaches that occur every year.
- Keep your social media accounts private. Don’t openly display your private social media profile for the entire world to see. It contains a lot of useful information for hackers to leverage against you or your company.
- Don’t share sensitive data on social media. The best prevention is abstinence. Seriously though, it may seem very obvious, but the information you never put online cannot be used against you.
- Use a VPN. A VPN is a great tool to improve your privacy online and avoid having your data shared and turned into a business by ad brokers. The less such people know about you, the less likely it is for your name to turn up in one of the data breaches.
When put into practice, all of these strategies will greatly increase your security and privacy. At the end of the day, we have access to amazing technology and infrastructure. All we need to do is to stay out of its way and allow our experts to do their jobs.