Well, it happened again. As a security professional, I hear a lot of things being said that are exaggerated or just plain untrue. I’ve become used to that, however, there is one phrase that really drives me crazy when I hear it. That phrase is, “Why even bother trying?”
As security professionals, many of us are constantly observing situations in different settings with an eye toward security. Recently, I noticed my doctor entering his password so he could add notes to a patient profile. The password was a single digit. Just…one…digit. I couldn’t let that pass without some fun-loving teasing, which he took very well. This is when he said the magic words. He said he had just read about the SolarWinds debacle and how it had taken over so many networks and he wondered, if they can get into those networks, “why should I even bother trying”? He knows even though he is small that he is still a target. He is not confused about that, as he had heard of many other small medical offices scammed or hit by ransomware.
There it was, out in the open. The truth about how he felt. He feels helpless to defend against the attacks. He said that the person who recently set up his new digital x-ray machine told him he should not connect it to the network, but should take the data from the machine, put it on a USB drive and walk it over to his EMR station and attach it to the record there. He asked the rep why it mattered when it was going into a cloud-based system anyway, to which the rep had no good answer.
The Problem
As security professionals who live immersed in the world of scams and cyber criminal attacks, we sometimes forget that not everyone lives in this world. My chiropractor has patients to care for, the bakery down the street has pastries to finish. They are not cybersecurity experts, but they do handle valuable data, no matter the size of the organization. What they don’t have is the confidence that the time and effort they put into securing things will have any impact.
This feeling of hopelessness in the face of the threat is a real issue. While they may have an MSP (a.k.a. the IT person) that helps, they are usually focused on break/fix activities or setting up new machines, not securing the office. It can be tough to get small business owners to pay for services, like securing devices and people, when they don’t believe that there is value in doing so. Instead, they accept the risk, often without understanding what that risk really is. Even with the looming threat of HIPAA violations and potential fines, they believe that they have to risk it.
Now What?
So, how can we, the cybersecurity industry, help them? It starts with the messaging. We need to educate small business owners on the fact that most of the successful attacks they hear about with their peers is often the result of human error. This error could be sending information to the wrong person, or it could be clicking a bad link in an email. Both can be avoided, or at the very least, the risk can be reduced greatly by working with the staff.
We need to stow the FUD. FUD (Fear Uncertainty and Doubt) is the tool of marketing departments trying to sell “solutions”. We are better than that. We should educate these small business owners on the risks they face and ways to reduce the risk. They need understanding, not fear.
In my opinion, there are very few ways to reduce risk in these organizations that are better than a focus on the human factor since this is the root of so many issues. Before starting, we need to acknowledge the issue without blaming the individuals. Yes, they are the source of a lot of issues, however like the doctor or business owner, they have other jobs to do. To get the best ROI, training needs to be constant, not just a PowerPoint presentation once a year. This means short lessons that are relevant to them and current events. These lessons should cover best practices for password hygiene, spotting phishing emails and text messages and phone calls and tie them to current events. We also need to explain why certain things are so important instead of just telling them to do it.
An example of this is teaching people that reusing passwords is bad. Rather than just demanding compliance, teaching them a little about credential stuffing can help them understand why it’s bad and has a better chance of changing the behavior. Teaching people that phishing attacks usually rely on creating an emotional response and demonstrating how that works is better than trying to teach them about every iteration of these attacks. It’s like a magic trick. Once you know how the trick operates, it doesn’t matter if the magician uses a playing card or foam ball to do the trick; you can spot the trick.
There are a lot of free tools that are valuable as well. Many of these will support the training. If you teach people not to reuse passwords, while also providing them with a tool, such as a password manager, it will help them be successful. There are free and low-cost versions for any size business.
Summary
While we won’t stop all cybercrime, we can’t choose to ignore it either. As security practitioners, we also have a role of being security advocates. When we see or hear situations with poor security hygiene, we need to address it without being judgmental and help them to understand better. If we all do some of this, even for the smallest organizations, we can make progress against the cybercrime that is so rampant today.