It’s October, and that means it’s Cybersecurity Awareness Month (CSAM).
In the USA, it’s not merely CSAM, it’s officially National Cybersecurity Awareness Month, an awareness project aimed at ensuring that everyone has “the resources they need to stay safer and more secure online.”
In 2016, as in previous years, the overall message of NCSAM is a simple one to remember:
STOP. THINK. CONNECT.
That’s actually excellent advice for any online activity, whether that’s uploading snapshots, signing up for a new service, clicking through to a website, or downloading the latest app.
Many cybercrooks have learned to squeeze just hard enough to get us to take needless risks online, without pressing so hard that we get suspicious and turn away.
For example, ransomware often arrives in emails that claim to be invoices or requests for quotation, giving you just enough reason to open the attached document, because it’s similar to the sort of material you receive regularly at work, but not enough to realise that it doesn’t quite add up.
Or the crooks send you booby-trapped content that pretends to cover a topic that you are interested in, such as a research paper or a news report. (Your personal interests can probably be found on Facebook; your work interests on LinkedIn.)
Likewise, a recent strain of Mac malware called Eleanor, which tried to hook your webcam up to the Dark Web, posed as a free document conversion utility.
Instead of using fear, or high-pressure techniques, the crooks relied on offering a handy utility that claimed to solve a common hassle for Mac users, knowing that anyone who tried it and deleted it later, without any obviously bad side-effects…
…would nevertheless be stuck with the malware it delivered, which left behind handy intrusion and hacking tools that the crooks could come back to later.
Sometimes, just a few minutes, or even a few seconds, spent asking yourself, “Is this really a good idea?” is enough throw a spanner in the infection process.
In real life, it’s perfectly common to look before you leap, because leaping involves real physics, and real forces such as gravity.
Online, it’s easy to get into the habit of relying on some equivalent of [Undo] to try to “unleap” later on if things go wrong.
But “unleaping” is usually too late to unleak data, to unreveal your password, to unsend zombie spam, to uninfect visitors attacked by your hacked website, and so on.
If you’re really unsure about attachments, emails, phone calls or other requests to get to take some kind of online action, ask someone around you for advice – but make it a genuine, real-world friend: someone you already know, and like, and trust. Don’t contact the person who sent you the email to ask them to vouch for themselves; don’t rely on calling back the phone number they gave you; and don’t use web links that they provided, either.
Of course, STOP | THINK | CONNECT. doesn’t apply only to those of us who consume online services.
It applies just as strongly to organisations that provide online services and hope that we’ll connect to them.
Let’s make sure that 2020 isn’t the year that is remembered as the Year We Found Out About The Breaches of 2016 by acting now to deal with all those security improvements we haven’t quite got around to yet.
If we are more diligent about STOP | THINK | CONNECT before we put precious data where crooks can get at it, we’ll help everyone, including ourselves, to stay safe online.