Cyber Criminals Exploit Preventable Human Failures
While the technology used to prevent cybercrime has certainly become more sophisticated over the years, Paul Savas has two simple words when it comes to the human side of cybersecurity.
Unfortunately, too many people simply choose not to.
“If it looks like something’s suspect, don’t open it. Don’t click on the links. So many times, these attacks happen to people who are letting their guard down,” said Savas, vice president of Comcast Business’ Western New England Region.
“How many of us get that Amazon text — ‘there’s a question about the order in your account.’ It’s a bogus text, and you should delete it right away,” he continued. “But so many people don’t. They’re curious. ‘There’s a link … I’ll click it.’ But you have to be smarter than that.”
Then there’s the problem of password laziness.
“They keep creating their own passwords. They’ll even keep a file on their desktop that says ‘passwords,’ kind of a spreadsheet. If I’m a hacker, I love that.”
“The biggest problem is common passwords,” said Sean Hogan, president of Hogan Technology in Easthampton. “So many people reuse passwords; they have a password that they’ve used forever, and they’ll do variations of that password. The problem is, once all the bots out there have that password or something close, they will figure out all your passwords within seconds.”
And he’s run into stubbornness when it comes to changing password habits.
“When I go out to see clients, it’s a constant struggle. One of our hardest adaptations is getting them to start going with password management or password vaulting. They keep creating their own passwords. They’ll even keep a file on their desktop that says ‘passwords,’ kind of a spreadsheet. If I’m a hacker, I love that.”
Allen Reed, assistant vice president and Information Security officer at Freedom Credit Union, has run into similar frustrations.
“At the credit union, I’m always hammering employees: ‘don’t click that link, don’t open that attachment, don’t ever click until you have verified. Trust, but verify first.’ Yes, it’s inconvenient to make a phone call to someone: ‘did I receive an email from you?’ But that’s the world we live in.”
When he talks about cybersecurity with Freedom employees, Reed says he tries to “put a little fear in them” with examples of mistakes other businesses have made, and the financial consequences. “It gets them to think a little more clearly.”
But the topic isn’t just an occasional one at the credit union. “We institute cybersecurity-awareness training on day one of their employment. In fact, we’re audited from the federal financial sector every year to make sure every employee has had security-awareness training — at least annually, but most importantly, on day one.”
Even then, Reed regularly uses his metaphorical hammer.
“We all receive email all day, every day. And the staff has to be trained over and over,” he said. “It’s like when we were young children at the stove, and we were told, ‘don’t touch the stove.’ We had to be told a thousand times before it sunk in.”
And hopefully, the message took root before a serious burn. That’s what companies of all sizes and from all sectors are dealing with today: the possibility of being badly burned by a breach.
For this issue’s emphasis on cybersecurity, BusinessWest examines why even the best-equipped networks can be compromised because of simple human error — and what employers are doing to drive that message home.
One problem, Reed said, is that cyberthreats have changed over the years.
“In 2005, you were worried about your average teenager sitting in the bedroom after school thinking about how hack into the CIA mainframe; they did it more for the joy of it, to be proud of it.
“Today, we’re talking about nation-states attacking. We’re talking about a government providing monetary resources, building out multi-story buildings, hiring their own citizens and providing them with pay, to attack other nations. That’s what we’re dealing with today. They attack 24/7/365.”
And their efforts have become savvier, Savas said.
“Don’t underestimate the bad actors, because they are so far ahead when it comes to social engineering and how to employ technology. They do research on social media, and they know things about you, like your dog’s name. That’s a pretty easy password to figure out. So don’t make it easy to guess.”
“You know the environment that the client has is pretty darn secure, but when you’re having people from the outside log in from their own equipment that is not secure, you’re really running the risk of a breach.”
Some companies have unknowingly voided their cybersecurity insurance policies because they lacked a certain level of protection — not just hardware and software, but training and compliance. “Every level of protection has a cost,” Savas added, “and some companies are gambling and not being fully protected.”
Indeed, Hogan said many advances in cybersecurity are being driven by insurance companies, which are not happy about paying out for preventable mistakes.
“They don’t want the exposure,” he went on. “And they’re going make it harder to pay off cybersecurity insurance — because that is paying out constantly. They are losing money on that; they’re realizing they sold a lot of policies where people are not doing what they should be doing. And the hackers have caught up.”
Reed noted that, going forward, most businesses will not be able to get cyber insurance coverage until they move to minimum 15-character passwords. “We moved to that four years ago because I knew it was coming.”
And not just longer passwords — or, preferably, pass phrases that are easy for the user to remember but impossible to guess — but two-factor authentication, like a code sent via text or email to the user’s phone. “You have to do that,” Hogan added. “When we install a new environment for a client, they have to do multi-factor no matter what.”
In addition, “there are paid software programs that manage passwords for you and give you different passwords you can copy and paste into the program you’re trying to log into,” Reed said.
For those who choose their own passwords, replacing letters with symbols in a recognizable word — $ for S, ! for I, etc. — makes the password exponentially safer, Savas said, adding that length is still a better safeguard than complexity.
Hogan encourages password vaulting in password generation. “I never generate my own passwords. The client shouldn’t either. So when I go to create that password, I’m going to generate a password that’s going to be random; it’s going to be extremely complex. It’s not the name of my dog. It’s not the name of my car. It’s got nothing to do with me. And it’s going to be a password just for that one website, for that one portal. And then it gets saved to a secure vault.”
While all these procedures are smart, Hogan went on, they only work as long as a company’s employees follow them.
“Can I ensure that everybody’s doing this? No. Can it be a procedure that you mandate? Yes, you can mandate it. But tracking it is a little different. So we add a couple more things on top of all this. Besides password management, vaulting, and multi-factor authentication, then we do the dark-web monitoring and security-awareness training.”
But a lot of cyber protection still comes down to common sense. That includes what people choose to share online, Reed said.
“If you have your entire dossier of who you are on Facebook, Twitter, Snapchat, whatever, once that dossier is out there, that’s what criminals leverage,” he told BusinessWest. “That’s what’s going to convince your grandmother that you need help, because it really sounds like you.”
Or, convince you that your CEO wants you to click a dangerous email link.
“The hackers look at people that can approve wire transfers, ACH batches, you name it,” Hogan said. “They’re looking at owners, they’re looking at CFOs, they’re looking at controllers. We call that ‘whaling’ or ‘spear phishing,’ where they actually target a certain individual. And they’re very sophisticated. They come up with real information.”
Reed agreed. “If they’re going to impersonate the president or the CEO, the only way they’re able to leverage that person, with that crafty email, is if they spend months on social media learning about that person, gathering information to formulate the email. That’s what gets employees to click — because we all want to do what the CEO wants us to do.”
Much of this behavior, from smart password creation to avoiding phishing attacks, comes down to training, Hogan noted. And sometimes, even that’s not enough.
“We can talk until we’re blue in the face, but that doesn’t mean that somebody working at that company is going to follow those procedures properly,” he said, recalling a recent incident when a remote worker for a client used his own laptop to log into the company portal from a remote site, got a suspicious pop-up, and clicked on it, allowing a cyber attacker to navigate the company’s system.
“That’s a big issue. You know the environment that the client has is pretty darn secure, but when you’re having people from the outside log in from their own equipment that is not secure, you’re really running the risk of a breach.”
And many times, Savas said, companies don’t even know they’ve been breached. “The bad actors go in, look around, see if there’s anything worthwhile, then map out a strategy. And that, to me, is scary.”
On the plus side, he believes the message is getting across, and companies are buttoning up with proper training.
“More education is happening within organizations. Attempts are being made, but it all comes down to that individual user being educated, heeding those warnings, and being smart about the things they can control,” Savas explained.
“Confidentiality of the password, not opening attachments, not clicking those links. Those are the three elements that open up an intrusion,” he added. “A lot of it is preventable. The majority is preventable.”