— used to say that a person who does not know about a problem does not worry about it
In a company, every employee expects the company’s IT department to take care of security. It almost never crosses their minds that security is everyone's
business and duty. At home as well as at work, people just hope for the best, that they will never get their PCs infected, their online accounts hacked, their online identity misused, their bank accounts emptied.
Why ? Because people think : this can’t happen exactly to me.
Lately, people have become the product to be hacked!
Again, why? Because cyber criminals go where the easy money are: to the people.
And even if they don’t steal anything from the users and they don’t do any harm to them either, they will use their computers or the social media accounts to spread malware to attack or blackmail others or just to make easy money from the clicks.
Most of the people I talk to, ask me at this point: How can people be hacked ?
I agree that "hacked" is a misleading word, especially when I talk to knowledgeable people or with other security experts.
Cybercriminals use social engineering to manipulate people to do what they usually don't do.
Here are just very few examples that I see often (again, feel free to use them and enhance the list):
- click on links to pictures/movies/articles with almost naked woman or some interesting content on Facebook or other social networks. What happens is called clickjacking: the user must LIKE a certain page in order to see the content.
- the users are forced to install "media player codecs" in order to be able to see a cool movie. Needless to say that it usually isn’t a codec, it is some kind of malicious software.
- users deactivate the antivirus software because they think it slows down the PC, blocks some cool download or just feel that everything takes too long. You hear often the argument, "but it was just that one single time". Unfortunately, the software that they downloaded faster and executed it was malicious. Even after the antivirus is activated again, it can be that it doesn't detect the malware for some time.
- users install any cool app that is suddenly available for free when normally it cost some cents. Many times it is being made free because it either integrates ads or it includes a trojan that does something in the background.
… the list is very long…
All these issues can be fixed by fixing the the ignorance problem.
Conclusion
Is the IT security industry trying to fix the wrong problems?
Their focus is, for obvious reasons, on what provides immediate value out of the box: protect the device.
Should they start to focus on hardening the user?
But, then how do you protect a user from himself?
There have been intense discussions in the past years regarding the "computer driving license". You will find various initiatives if you search these terms.
But to have such an initiative adopted you need more than just a website and a certification.
One thing we know for sure: security comes always with a price. It is either the privacy or, most of the time, usability.
And it seems that nobody is voluntarily willing to pay this price.