According to leading cybersecurity experts at F5, the COVID-19 pandemic saw an over 200% rise in the incidence of phishing attacks, as well as a rise in other forms of cybersecurity threats around the world.
The pandemic lockdowns pushed far more of the world’s workers to hybrid or fully-online working arrangements, creating many new vectors for cybersecurity threats than ever before. Just like any other industry, organized crime has also moved increasingly online. Today, coordinated and complex cybersecurity threats are a fact of life. Millions of people fall victim to hacking and social engineering attacks every year.
Human Nature is the Biggest Threat
Unfortunately, according to cybersecurity and social engineering experts such as the notorious ex-hacker Kevin Mitnick, the biggest threats to any organization or household are a result of normal, healthy human nature. Our propensity to trust each other, and to give the benefit of the doubt, makes us vulnerable to manipulation by organized attacks. Threats such as phishing, which derives its name from the old hacking term “phone fishing,” occur when a person in an organization is convinced to trust an outsider who is posing as a member of that organization, or a related organization, in order to obtain personally independent information to help in an attack.
It is difficult, and often counter-productive, to change a person’s basic sense of trust in others. The best defense against these kinds of attacks therefore, is not simply to distrust others or to become paranoid about the threat of attacks. Rather, the most effective defense is to make one’s self a difficult target.
How to Be Anti-Fragile in Cybersecurity
Cybersecurity threats typically seek the easiest means through which to penetrate computer systems and organizations. They focus mostly on the weak points of an organization, often found in systems where human beings can be convinced to make simple mistakes in their security awareness.
For example, email, as an open protocol with many security vulnerabilities, is a favorite channel for hackers because it is routinely used, unwisely, for sending and receiving security critical information. The best approach to securing your organization or household is not only to be more aware of the threats, but also to stop using systems which are inherently less secure.
Here are some areas of vulnerability that you should consider avoiding:
Email, a ubiquitous standard that has been available for decades, is one of the biggest threats to your cybersecurity. Email addresses and domain names can be easily hijacked, spoofed, or penetrated by hackers, and used against individuals or organizations to further infiltrate computer systems.
This is why increasingly organizations do not rely on email for any secure communications or security procedures. Instead, they use other more secure internal systems, or encrypted messaging platforms.
Solution: 2-FA and Encryption
The simplest solution to the problem of email threats is not to use email for secure communications. Even for family-related messaging and communications, secure messaging platforms with end-to-end encryption are a better option than email. Even sharing things like passwords and login information with family members or friends via email can be a huge threat.
Email is often used as a primary means of authenticating someone’s identity. This is why 2-factor authentication, or 2-FA is critical to your personal security. Bank credentials, social media, and other financial information should all be protected by multi-factor authentication, meaning that two separate means of communication must be used for each access to the system. While SMS and mobile key authentication are not foolproof, they make the work of hackers many orders of magnitude more difficult, which will discourage the vast majority of simple attacks.
The other important solution is encryption. Using the simple PGP (Pretty Good Encryption) protocol, in which two parties exchange a “public key” which allows them to send messages which can only be opened using a “private key” by the party who is meant to receive the message, will deter the vast majority of attacks on your private email communications. Such protocols are easy to integrate with your favorite email client, and can be set up very easily on desktops, tablets and smartphones with just a bit of googling.
Threat: The Phone
Threats typically come in the form of systems we use regularly without thinking about the risks. This is not helped by poor security practices which have been practiced in the past, and which people have become used to. Years ago, it was still typical for a bank employee to call a customer and request information like an ID number, address, age, parental information, or even social security numbers. Today, it’s not a good idea to give out this information to anyone who calls you on the phone, no matter who it is.
If a bank or any other company calls you asking for personal information, although most banks no longer do so for this reason, it is your right, and a good idea, to refuse to give this information over the phone, on principle. If the information is absolutely required, you can increase your safety by requesting a “callback” number, which is a publicly listed number for the organization, which can then connect you with the person asking for the information.
Often callers from within companies will not want to go through the trouble of giving a callback number, as this is time consuming, however, for your security, it’s a best practice to always insist on a more secure form of communication. In many cases, providing such callback numbers is a legal requirement of the country or state in which you live.
And of course, it’s smart to never give such information over the phone unless you have made the call yourself, and know the number you’ve reached is genuine. It’s easy to also look up incoming call numbers to verify they originate from the company that they claim to be, but this is not foolproof. Numbers can be spoofed or faked. The best practice is still to use call back numbers or another form of 2FA, such as SMS together with email.
Poor password discipline is among the most common simple threats to your personal security. Repeated use of the same passwords, or easily guessable passwords, are the most common mistakes people make in their cybersecurity. And who can blame you? Remembering the dozens of passwords for the many services you use on a regular basis is nearly impossible for most people. This is why password sharing and password repetition are easily the most serious threats to most people’s security.
The bad news is that there is just no excuse anymore for using the same password over and over, or having easily guessable passwords. The good news is that having unique and difficult to guess passwords is easier than ever.
Password services such as LastPass, Apple ICloud Keychain, and Bitwarden offer fully integrated services which can live on your computer, web browser, smartphone and tablet, providing you with an automated password generator, password storage platform, and a convenient way to monitor the internet for data breaches involving your existing information.
Services such as LastPass allow you to easily generate and fill unique passwords for every single service you use online, and to fill in these details every time you use a website from your unlocked smartphone. This way, only the password to your password saver must be remembered. Make sure your password for that is hard to guess though! And don’t forget to change it often.