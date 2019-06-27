I’m sorry to say this, but you’re probably hackable. At least a little bit.
Maybe you think you’re not. Maybe you’re confident that actually, no, you’re not hackable. You have good passwords. You’re careful not to click on everything in your inbox. Your company has one of those firewall thingies.
But then, one morning as you walk across the parking lot to the office, a glint catches your eye. It’s a USB thumb drive, on the pavement. Scuffed and gritty, it’s lying the space where the finance VP usually parks. She must have dropped it. Written on the side is “Bonuses.”
Do you have even the slightest inclination to plug that puppy into your computer? Yes?
You’re hackable. Not because you’re a techno-noob, but because you’re human, and now all kinds of hellfire is raining down on your company’s network.
OK. You might have the good sense never to stick an unfamiliar USB stick into your computer. But the number of ways hackers can trick us into doing their deeds is limited only by the number of ways our habits, emotions, laziness, jealousies and other, innumerable pathologies can be played. In the end, everyone is hackable, at some level.
But that’s what IT departments and firewalls are for, right?
Yeah, no. There’s no firewall strong enough to prevent an employee from waltzing into their cubicle with a USB drive labeled “Bonuses.” The IT crew might know better, but Bruce in receivables probably doesn’t.
Sure, a hacker armed with Bruce’s Social Security number might be able to do damage to his personal finances. No offense to Bruce, but his $20,000 credit limit likely isn’t of much interest to cyberthieves. To them, Bruce is more valuable as a potential crack in the corporate wall, a soft spot that can be breached so they can seize, say, a half-million records of customer data that they can hold for ransom.
Within the confines of a corporate network, firewalls and security protocols are essential to deter attacks from the outside. The thing is, we do so much of our work outside the fortified corporate network, at home and in cafes, airports and hotels, that if we’re not careful, we can become an unwitting accomplice — a vector, in cyberspeak — to helping a hacker get around those corporate defenses.
So how does a guy like Bruce, who knows receivables cold but not a lick of IT, fill the cracks and harden his defenses? The key is to motivate Bruce to protect his personal cyber life so that he’ll carry those good habits into the office, says Bob Cook, an instructor of information systems in the College of Business at UCCS.
“Corporations spend so much money on IT, and having the most advanced firewalls and equipment, and lots of certifications and training for IT staff to protect themselves, they aren't spending any time with the people who are not technical and understanding what data they are bleeding out into the ether without even being aware of it," said Cook, who also runs a cybersecurity consultancy.
He hopes to help change that through a course he will lead this month, called “Are You Hackable? Cyber Security for non-IT Professionals.” His goal, in two 3½-hour sessions, is to teach the Bruces among us how to how to raise our personal hackability threshold high enough to put it out of the reach of pretty much everybody this side of the NSA.
The motivation part shouldn’t be too difficult. Cook said he promises plenty of blood-chilling demonstrations of, for example, how easily your movements around the city can be harvested remotely from your cell phone. Or how about this: The Snapchat photo that your kid downloads at home contains something called steganography — essentially a malware program embedded in a kitten picture. “I’ve just infected your home network, and now I can see your corporate packets coming across your home network and intercept that important board presentation or the budget document you’re working on.”
Teach employees to protect themselves, Cook said, and employees will be more likely to protect their company, too.
“Organizations aren’t doing enough to educate the individual on how to protect themselves, not just at the company, but protect themselves personally,” he said. “If you get in the good habit of protecting yourself on an individual basis in your personal life, you’re more likely to follow good cyber-hygienic procedures to protect yourself at the corporate level.”
Mercifully, it’s not hard to make your computer, mobile device and home network a hardened target. Even better, you don’t have to wear a tinfoil hat.
You know about passwords; a password manager is better (and, I can testify from personal experience) actually easier. You’re familiar with those “security questions” about your pet’s name or favorite ice cream; giving false answers to those questions is better (Why? Because your Facebook profile contains all the correct answers and that’s the first place the hacker looks). Using a virtual private network, or VPN, while connected to the Starbucks Wi-Fi is an easy way to encrypt your data as it bounces wirelessly around the café. No IT experience needed.
Those kinds of measures, among others, Cook said, will make penetrating your network communications so time-consuming and costly that it won’t be worth the time to any but the most determined and well-resourced hackers.
“It’s, yes, protecting the corporations,” he said, “but doing that by training the individuals for both their home and personal life how to protect themselves, and how they protect themselves at work.”