Dialogue With My Inner Skeptic on Why Cybersecurity Matters
How I embraced and conquered my inner demons in the debate on why security and privacy are vital
Less than a year ago, when I started documenting and writing about cyber security and privacy, I was a skeptic.
I thought that it’s all just a big bubble that is being artificially pumped. I was reading what the media and the blogs were publishing about this industry and all I could think of was “that’s so much bullsh*t!”.
That’s because most of the articles on security and privacy are trying to stir up panic.
It’s enough to scan the headlines and you’ll be under the impression that we’ll all get hacked eventually. Or that we were already hacked, but we don’t know it. And that there’s nothing we can do about it – it’s hopeless, the danger is everywhere!
Stories about hacks and data breaches became the norm. Every individual, company, product and app seems to be vulnerable. The writers abused of strong, terrifying terms, like “ransomware”, “spyware” or others-ending-in-ware. Terms that most people have no idea what they mean.
And then I started to read a lot about the whole ecosystem. By “read” I mean books and courses. Evergreen content. Content that’s well documented and links to multiple other sources for readers to check for themselves.
I read about how computers are made and how the internet works. About the first hackers, the first viruses, the first attacks. How we are all interconnected. How malware succeeds. I worked hard on building my basis. That basis helped me discern between real threats and exaggerated, distorted or over-simplified ones.
But this whole education on cybersecurity and privacy takes time, time that most people don’t have (nor do they realize that they need to keep their guard up against media manipulation).
When you are drowning in an ocean of information and conspiracies, when it’s so much noise around you, how do you discern between the experts and the frauds?
How can you spot the dangers that are tangible from the ones that are only hyped up by the media or companies?
When are the articles written with the never ending quest for views in mind and when are they real threats?
What’s even worse: a possible side effect of all these bad stories is that people will become immune to it. The threats will have to increase, to become bigger and badder, in order to captivate their attention – a vicious cycle. And then people will probably just give up on cyber security.
If the danger’s right around the corner and you can get hacked anyway, what’s the point in fighting, right?
Below I tried to put down some of my biggest questions born from a debate with my inner skeptic. All the things that I learned so far from my journey. Hope they’ll help clear the path through the cybersecurity and privacy jungle.
And please feel free to share your own doubts in the comments section at the end of the article.
Dialogue with my inner skeptic on why cybersecurity matters
1. Me being skeptical about statistics:
All statistics, researches and polls that are published have an agenda. They are usually paid by security companies, who want to make people panic in order to buy their products or services. Others are intentionally distorted by the media, with the intention of bringing traffic and views and then make more money from ads.
Me being realistic:
That’s generally true. BUT… the keyword here is “generally”. You shouldn’t generalize. Don’t completely dismiss all the statistics from the start, just because they MIGHT be based on a hidden agenda. Sometimes, you might even run into some valuable data.
Do a little digging for yourself. Try to act like a journalist. Seek facts, look for multiple sources, see what other similar researches have to say, analyze them, draw your own conclusions.
Find out who conducted the research or the survey. Read the original research, not just the press release or what the media decided to highlight.
On how many users was it conducted?
During what period?
What were the methods used? Did they analyze the users directly or the users were asked to reply for themselves?
Is it really representative for the current online landscape? When you put it in context, how relevant it is?
How likely is it to affect you?
What interesting or valuable information can you draw from it?
It doesn’t have to be a process as complicated as the one shown in this photo in order to reach a conclusion:
2. Me being skeptical about the odds of being hacked, part I:
I don’t care about cyber security, I don’t have anything valuable, hackers couldn’t steal anything from me, they would just waste their time. I’m nobody.
Me being realistic:
Hackers aren’t personally checking your bank accounts and reading your emails before deciding if they should attack you or not. Most of the attacks nowadays are automated.
Just a quick example: do you have files and folders on your PC? Then you’re at risk of ending up with ransomware. That’s a type of malware that will encrypt all your files and folders. After it does that, it will only show you a message asking you for money in return for the key to decrypt them. The instructions are clear: send X money here, or else you’ll never see your files again. You didn’t have any backup? That’s too bad, shut up and pay.
Lately there’s been an increase in hospitals attacked with ransomware. Medical organizations are at risk because of two main factors:
1 – their personnel doesn’t usually have IT or tech skills, they don’t know the risks they expose themselves to online
2 – they are more likely to pay in order to have their system unblocked, as lives are at stake.
How does one become a ransomware victim? That’s easy, there are a few things that need to align for a successful attack:
- An attacker finds a backdoor in a (perfectly legit) website or server, admin console, account, plugin, etc. The attacker takes advantage of the bug and injects a malicious code.
- A user visits that website. Doesn’t matter how they ended up there. They will have their systems automatically scanned for security flaws, such as an outdated browser or plugin. The user doesn’t have to click on a pop-up or weird link in order to be served with ransomware, all it takes is that they enter an infected (but totally legit) website or view an infected ad.
One of the recent campaigns involved websites like BBC, The New York Times or AOL.
3. Me being skeptical about the odds of being hacked, part II:
I don’t think I know anyone who’s ever been attacked or hacked.
Me being realistic:
That doesn’t mean that my friends and acquaintances were never hacked, it just means that they weren’t aware of that. Plus the fact that I need to concentrate a little to remember, as I tend to occupy my memory with something else.
Most common scenario: I have friends (or, to be more accurate, let’s just call them online buddies) who will click on any link they receive on social networks or instant messaging services. They have an ill-founded sense of protection on those networks, like nothing bad can happen to them. And then they’ll click on links that lead them to phishing websites or malware infected ones.
Best case scenario, they end up with adware or other types of malware and their accounts further propagate the infection. Worst case, they give away their credentials, someone else gains access to their accounts, steals all their data and ruins their reputation.
Actually, this is what happened in one of the most famous hacks known so far, the infamous Fappening. The victims clicked on phishing links they received via social networks or emails, thus giving away access to their private accounts. And photos. Nude photos. That were leaked. Oops.
Find out more about social scams and how to protect against them.
Another scenario, this time more personal: I have relatives that were unaware of the fact that they ended up on illegal websites, with pirated movies or tv series. They thought that if those movies are there, are available for free for anyone who wants to access them, then they must be legal and nothing bad can happen. Makes sense, right? They were convinced that illegal websites would be much harder to find. Or would be taken down immediately. As a result, they got their systems infected with malware.
And another story, this time with a happy ending: my dad received a text message from his bank, with a confirmation code for an online order that he never placed. If he hadn’t activated that extra protection for his bank account, the order would have been placed, the money taken from his account and would have ended with a big headache. And plenty of energy lost in order for him to correct the situation.
These are all just some common, low level hacks. There are worst hacks happening all the time, the ones with the biggest impact targeting companies. It doesn’t have to be someone unknown, it can be an attack driven by a vengeful ex-employee or a competitor.
Not to mention that lately there’s been a growing (and concerning) trend in cyber attacks that target government-controlled vital points, such as power plants or infrastructure.
4. Me being skeptical about the odds of being attacked, part III:
I already have some good security habits in place. And strong technology that keeps me protected. I don’t need to be bothered with more security.
Me being realistic:
I was under the exact same impression. And then I got hacked by an ex employee that I had just fired. I had all kinds of security layers in place, such as an antivirus and strong passwords (two-factor authentication for Google wasn’t available back then).
Unfortunately, I never thought that the danger can be so close to me. I never even imagined the possibility that someone so close to me would want to do harm.
Yes, call me naive and stupid, but sometimes you just miss the forest for the trees.
5. Me being skeptical about why cybersecurity should be so hard:
But I’m lazy, cyber security is hard, ain’t nobody got time to change their passwords on a regular basis, make them unique AND remember them. I have too many accounts for that to be feasible.
Me being realistic:
We all get lazy. It’s a pain in the ass to remember to change your passwords constantly (and actually doing it, not just remembering you have to do it).
But we should also be aware that strong passwords are the easiest and handy ways to keep intruders from our accounts.
Of course, they are not enough, we should also activate two-factor authentication on every possible account (I still don’t understand why this is not activated by default).
But back to passwords now. If we would use the same, easy-to-guess password for all of our accounts, attackers would quickly gain access to all our accounts. And as they are all interconnected, from there they would be able to access work documents, personal conversations and photos, our social accounts, shopping websites, and more.
Try to remember the following analogy when you feel you are too lazy to set up strong, unique passwords: We never use the same key for our car, our home and our office. If we would lose it or end up stolen, the thief would have access to all of our assets.
It’s the same with passwords for our online accounts: If we don’t set unique passwords and a hacker somehow manages to find out one of our passwords, then they’ll have access to the rest of our accounts.
Second argument to keep in mind: A password cracking server can try out more than 100 billion passwords every second. Can you imagine that? And an 8 letter random password means 200 billion passwords combinations. I’ll let you do the math on how long it would take to break that password.
CONCLUSION
I still am a skeptic. I try to take all news and statistics with a grain of salt. Dig in and see what they are really based on.
Try to get your cybersecurity education basis – most threats aren’t completely new, they are just old tricks that use new tools. Establish strong layers of security, onion-style, and do your best to minimize the impact of a possible attack.
We hope that our cyber security course will guide you through the big dark web:
Thank you Cristina for that thoughts. That is good analytic view for major part of the problem.
From my point of view, there is one piece missing. You have right emphasizing the “connected people”, but we need to go one step forward to reach the “personal cybersecurity”. In fact there will be no point to distinguish between physical security and cybersecurity in the nearest future – they will be just personal safety.
You mentioned the medical appliances issues caused by cyberthreat, with Internet of Things, all of regular, daily used object will present some kind of threat to our life or life style. Such like common events: fire, road accident or food poisoning or diseases.
If you look back to the previous 15 years of our past efforts in the user awareness, there is nothing more than password policy and recently “no click” policy. Nothing more. You can be surprised when you looking at progress in the way of human communication that we developing within the Internet. And again, from security side, we just stick to that “password and no-click” policy. Really?
Why we are (as an itsec officers/admins/managers) so focused on chasing the technology rabbit – impossible to catch one by definition, and missing the point that we are also cyber-users?
How each of us developed its own security practices to be safe during the cyberspace journey? Why we can’t share our attitude to the others? Surely there is more than “password and no-click” policy.
Going straight to the point: we need to promote the personal security – basic element of the Communication Culture – new one, adopted to the “connected users” or humans connections.
We as Safety Culture Initiative promote that idea. The basis of our community (not organization) is to give the reason for everyone to learn, talk and teach about cybersecurity and safety after all.
Anyone can be part of SCI – just start reading, thinking and talking with your family, friends and peers about security of connected people.
At the beginning just use common sense that you developed in the real life. That tool is more powerful that you think.
Transform the cybersecurity awareness into personal security posture.
And what is most important do it by yourself, today!
We are developing various tools to support anyone efforts with creating personal security posture as a part of Safety Culture. All of them are free, public accessible and ready to reuse. All for you.