The theft of 80 million customer records from health insurance company Anthem earlier this month would be more shocking if it were not part of a larger trend. In 2013, the Department of Defense and some US states were receiving 10–20 million cyberattacks per day. By 2014, there was a 27% increase in successful attacks, culminating with the infamous hack of Sony Pictures.
Much of the media focus is on the losses rather than the process by which such breaches take place. Consequently, instead of talking about how we could stop the next attack, people and policymakers are discussing punitive actions. But not enough attention is given to the actions of individual end users in these cyber attacks.
We are the unintentional insiders
Many of these hacking attacks employ simple phishing schemes, such as an e-card on Valentine’s Day or a notice from the IRS about your tax refund. They look innocuous but when clicked, they open virtual back doors into our organizations.
It is you and I who click on these links and become the “unintentional insiders” giving the hackers access and helping spread the infection. Such attacks are hard to detect using existing anti-virus programs that, like vaccines, are good at protecting systems from known external threats — not threats from within.
Clearly, this virtual battle cannot be won using software alone. In the same way personal hygiene stymies the spread of infectious disease, fixing this cyber quandary will require all of us to develop better cyberhygiene. We need to begin by considering the cyberbehaviors that lead to breaches.
My research on phishing points to three. Firstly, most of us pay limited attention to email content, focusing instead on quick clues that help expedite judgment. A picture of an inexpensive heart-shaped valentine gift gets attention, oftentimes at the cost of looking at the sender’s email address.
This is coupled by our ritualized media habits that our always-on and accessible smartphones and tablets enable. Many of us check emails throughout the day whenever an opportunity or notification arises, even when we know it is dangerous to do so, such as while driving. Such habitual usage significantly increases the likelihood of someone opening an email as matter of routine.
And finally, many of us just aren’t knowledgeable about online risks. We tend to hold what I call “cyber risk beliefs” about the security of an operating system, the safety of a program, or the vulnerability of an online action, most of which are flawed.
Cleaning up our cyberhygiene act
Developing cyberhygiene requires all of us — netizens, educators, local government, and federal policymakers — to actively engage in creating it.
To begin, we must focus on educating everyone about the risks of online actions. Most children don’t learn about cybersafety until they reach high school; many until college. More troublingly, some learn through risky trials or the reports of someone else’s errors.
In an age where online data remain on servers perpetually, the consequences of a privacy breach could haunt a victim forever. Expanding federal programs such as the National Initiative for Cybersecurity Education, which presently aims to inspire students to pursue cybersecurity careers, could help achieve universal cybersecurity education.
Second, we must train people to become better at detecting online fraud. At the very least, all of us must be made aware of online security protocols, safe browsing practices, secure password creation and storage, and on procedures for sequestering or reporting suspicious activity. Flawed cyber-risk beliefs must be replaced with objective knowledge through training.
Although some training programs address these issues, most target businesses that can pay for training. Left out are households and other vulnerable groups, which, given the recent “bring your own device to work” (BYOD) trend, increases the chances that a compromised personal device brings a virus into the workplace. Initiatives such as the Federal Cybersecurity Training Events that presently offer free workshops to IT professionals are steps in this direction, but the emphasis must move beyond training specialists to training the average netizen.
Finally, we must centralize the reporting of cyber breaches. The President’s proposed Personal Data Notification and Protection Act would make it mandatory for companies to report data breaches within 30 days. But it still doesn’t address who within the vast network of enforcement agencies is responsible for resolution. Having a single clearing house that centralizes and tracks breaches, just like the Centers for Disease Control and Prevention tracks disease outbreaks across the nation, would make remediation and resource allocation easier.
Across the Atlantic, the City of London Police created a system called Action Fraud, which serves as a single site for reporting all types of cyberattacks, along with a specialized team called FALCON to quickly respond to and even address impending cyberattacks. Our city and state police forces could do likewise by channeling some resource away from fighting offline crime. After all, real world crime is at a historically low rate while cybercrimes have grown exponentially.
(A version of this post appeared in The Conversation on Feb 26, 2015)