We often ask - why is it that cybercriminals succeed despite constant attempts to design better cybersecurity tools? The answer is simple - part of the problem is that we all have behavioural misconceptions about threats we are facing in cyber space. Here are the top 5:
Misconception 1: I am too insignificant to be targeted. Many individuals and businesses believe that they are “too small” or they have “nothing to steal” to be targeted. In the contemporary world, there is no such thing as a system which is not of interest to cybercriminals. No matter how little money you have, no matter how small your business is, if you store or handle some information, it is highly likely that this information can be monetised, and probably in many different ways. Even if the information you hold is only of interest to you or your business and there is no other party on this planet that would ever be interested in it, it still makes sense to steal it and sell it back to you for a ransom. Therefore, it is important to understand that anybody can become a target. Unless you are prepared to take all of your operations offline and not store any data in the digital form (which, in the overwhelming majority of cases, is equivalent to business suicide), there is always a positive probability of being targeted.
Misconception 2: Technology is the main weapon of cybercriminals. It is certainly true that technology is an important tool for cybercriminals, but looking at the types of threats and their history, we see that many of the currently used threats (with several notable exceptions, such as the blockchain-related attacks, AI-informed attacks, etc.) existed in the 1960s, 1970s, and 1980s. So, what we observe now (again, with several exceptions) are often unlikely to be new types of threats; these are essentially old threats “on steroids”. But the increased impact of these threats is mostly due not so much to the development of technology—although the technological component does play a role—but rather to the increased use of hybrid scams, where social engineering and psychological impact are the main methods employed by cybercriminals. With over 90% of successful breaches worldwide starting with a phishing email, it is clear why cybercriminals concentrate on the psychological tools for planning and implementing the attacks. With technological advances in the area of cybersecurity becoming more and more sophisticated, humans remain the weakest link.
Misconception 3: It can only happen to me once. In behavioural science, we often talk about a paradox which we call the “law of large numbers ”. What it boils down to is a very simple psychological phenomenon: most people believe that “probability or chance has memory”. Imagine that you are playing a game where each coin toss gives you $1 if you are right and nothing if you are wrong. Let’s say, for the sake of argument, that for some reason you prefer betting on heads and you have just played five rounds of the game where heads were turning up on every coin toss, and you won $5 as a result. Now you have an opportunity to place the next bet. Will you bet heads or tails? In this situation, many people would choose tails. Why? They just observed heads come up five times out of five, so they think that getting heads on the next coin toss becomes less probable. This, of course, is a psychological paradox. The chances of getting heads or tails is 50–50 and these chances remain the same no matter how many times you toss the coin. When we talk about cybersecurity, this paradox is even more prevalent. Once hit by cybercriminals, business owners think it will not happen to them again. This is especially true in the case of ransomware attacks. There is a widespread view that once the ransom is paid and the data is returned, the adversaries will now leave the systems in peace and will not target the same business with a similar attack again. This, of course, is a wrong attitude. Adversaries share information and often disclose targets and code to each other. Therefore, becoming a victim of a cyberattack does not mean
that it will not happen to your business again. In fact, it probably makes you a more likely target in the future, as adversaries talk to each other and you might get hit again with very similar tools in a very similar way.
Misconception 4: I have the best technology on the market to protect me. Many business owners I have encountered while doing research in cybersecurity told me that they outsource security issues to a contractor, who takes care of their system, or that they expect that company, along with Microsoft, Apple, IBM, Google, or other large tech providers, to take responsibility in case of a cybersecurity breach. There are, however, several important caveats here. First, any technological solution (whether it is "zero trust" or not), like any sophisticated lock, can be broken. We often talk about using sophisticated technology, such as AI, for detecting threats and preventing adversaries from getting into systems. However, we often forget that adversaries are also using technology and they have exactly the same (if not better) set of tools available to them. Under these circumstances, it does not matter how amazing your technological solutions are and how many hundreds, thousands, millions of dollars you are spending on buying the next technological wonder or engaging the next technological wizard to fix things for you. What is important is how likely your staff are to do what they ARE NOT supposed to do or fail to do what they ARE supposed to do.
Misconception 5: I am very careful, so I cannot be tricked. One of the most popular misconceptions is that being careful or cautious somehow decreases the chance of being targeted. The truth is, unfortunately, that it does not matter how careful or careless you are. Even if you are very careful and surrounded by the best cybersecurity minds in the country, there is still a very good chance that a strong enough adversary will succeed in compromising your data or systems.
Takeaways
It is clear that there is much about cyber risk that we do not understand and tend to underestimate. Only time will tell whether we will eventually learn to overcome our misconceptions about cybersecurity.
#cybersecurity #psychology #humanfactor #infrastructure #cyberrisks #cyberthreats #cyberattack #risk #infosec #security #vulnerability #informationsecurity
This post was originally written by Ganna Pogrebna for the CyberBits blog in 2020
Comments