If you allow me to quote once again Gabriel García Marquez,
Demons should not be trusted, even when they say the truth
That passage came to my mind few days ago when I had the honor to be a speaker at Mundo Hacker Day, a two-day cyber security event in Madrid, Spain backed by the popular TV program with the same title on Discovery Channel.
AlienVault also exhibited at Mundo Hacker Day.
I approached the event very open minded but not really sure what to expect from the audience, as it was not the traditional professional event around cyber security but geared towards a wider general public. I had only had the chance to watch the program on the TV but never have made it to their live events; however, during my talk, it became quickly apparent through the questions being asked that individuals were concerned about their own online security, whether from a privacy point of view of their digital memories, or from a fraud point of view involving their bank accounts or other sensitive data.
Amongst the audience, and on the expo area, the number of schoolteachers, journalist and like-minded professionals willing to help their students or peers to step up from an illiterate functional status shocked me. Well, that sounds too much when we talk about teenagers, but not so much when we talk about journalists. And the two communities are very sensible, whatever the kids are doing today is going to hang with them, online, for years to come if not ever.
If we talk to a journalist, whether freelance or part of a larger organization, they are a clear target, with a large list of followers and greater interest by cyber criminals to hack their web site and post fake messages pretending to be legitimate.
Collectively we are not doing a great job in educating cyber users about cyber risks. You might argue about the profiles discussed so far, but let me shed some light on this other case. A good friend of mine asked me to urgently visit his office, as a virus had made it to their computers and they were unable to carry on. It’s a small business, about a dozen servers, food industry, not IT intensive, all of a sudden a variant of CryptoLocker has been spread and all their machines hard drives are cyphered. You know what comes next …
Like many small IT departments, they were unknowledgeable on cyber security, even though they are university-educated computer science engineers. So many challenges, with the perception hackers won’t bother with me, I do not have that much information … up until you discover you just lost all of your data, and while your bank account has not been compromised, you are actually not only unable to invoice your customers, but you are simply unable to serve their orders as everything is gone, or actually it is there but you just can’t read it.
As an industry we may use fear as a way to motivate buyers, but the fear, the uncertainty is real, and it is not a question of ‘if’ but ‘when’ you will get hacked, and collectively we need to do a better job at educating kids, journalists, small and medium businesses, and every individual IT user. At the end of the day, we all carry a smart phone with computing and connectivity capacity that was simply not dreamed of 10 years ago on a desktop system.
It turns out I was quoted on national TV discussing the security awareness topic as one of the highlights of the show. So, I would like to capture your feedback: What Security Awareness measures have been successful in your organizations? Which one would you like to field test? Please reach out with your comments.