The timing of Cybersecurity Awareness month always seems a bit on the nose. As the days get darker and cooler and we prepare for Halloween here in the U.S., we also pause to take a moment to shine the proverbial flashlight on the safety and security of our digital lives. But, this doesn’t have to be a spooky, #FUD conversation.
According to the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), this year’s “See Yourself in Cyber” theme “demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.” It’s about you, me, and everyone else working together to protect against threats, especially those aimed at our personally identifiable information (PII) data.
Our digital selves have been evolving and expanding over time and there’s simply a lot of information about us out there, making our data highly desired targets. Most folks think of a cybersecurity threat in the form of a phishing scam or an enterprise-level breach. However, the attack surface — the many places where we consume and share data — is broader, the tactics are more insidious, and the damage is huge. Earlier this year, the Federal Trade Commission showed that U.S. consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70% over the previous year. Globally, the trend is exponential. Cybercrime cost €5.5 trillion last year, according to the World Economic Forum, clocking an increase of 125%. I appreciate this year’s cybersecurity theme because instead of becoming paralyzed by this grim picture or anxious about what could happen next, we can find agency by looking at our own cyberselves.
Let’s take social engineering, for instance, the method that has led to some of the most recent attacks. Quoted in a USA Today article, a VPN expert said, “that 84% of Americans have experienced a form of social engineering, where fraudsters attempt to fool you into divulging confidential or personal information” for criminal financial gain. I’m sure we all know someone who has been tricked into clicking on links that download virus-laden files. Even the savviest tech wizard is human; social engineering is rooted in psychological and behavioral manipulation and it’s not being overlooked. Worldwide, INTERPOL located, identified, and arrested thousands of people and seized millions of dollars this year in its operation crackdown against social engineering, codenamed First Light 2022.
Look at social categories – virtual and physical – and you’ll see the lines have blurred and, correspondingly, so has our behavior. At work, we juggle apps, emails, and instant-messenger platforms. I doubt anyone applies the same diligence to a quick Slack message written on our smartphone while walking the dog as we do when drafting an email at a desktop computer in our office during regular business hours. The UI differs, the ability to focus varies, and even the mood changes.
Now, how about our behavior during a formal employee performance review versus the anticipated happy hour after a long day’s work? You may be hanging out with people in the same business, but your disposition is different, which could lead to over-sharing.
In our personal lives, we bounce between our favorite online games and social media channels. How would you safeguard your loved ones who may be what Jen Easterly, director of CISA, calls the “target-rich, resource-poor entities,” without “large security teams.” Our digital lives include those of our children who use communication apps as their primary way to talk to others, and our elderly parents who are repeatedly targeted. Regarding our kids, I recently learned there are a staggering 1.5 million apps in the Apple App Store and double that in the Google Play Store; by the time a child reaches 13 years old (the age by which COPPA data privacy requirements expire), marketing firms will have collected an average of 72 million data points about them, according to research by SuperAwesome.
7 Ways to Protect Your Cyber Self
As we go about our digital lives, let’s ask these questions in regard to social engineering:
- What is my digital selfie? Consider the apps you download, the places you venture while web browsing, and all ways by which you travel along the digital landscape. Dig into the Settings function on every device to control permissions to your data, and update your software.
- What if I take no action? What damage gets done if I don’t click or share now? As we’re busily going about our lives, sometimes all it takes is for us to hit the pause button, stop multitasking, and focus before taking any action. Also, think about the time the message was sent. If you receive a direct message on your favorite social media platform from a friend you know to be busy attending their favorite sports event or music concert, they’re unlikely to be hitting you up for money now.
- Who is the other person (or persons) and what is their need to know? You may trust your coworker sitting next to you, but even close friends don’t need your confidential data. In email, check the domain name (the text following the @ symbol in an email address) and spot typos, which could be flagrant or casual. While it may be tempting to share sensitive information with someone you know, never disclose information with unauthorized people.
- Why is my pulse racing? The call to action (CTA) you receive could be an illegitimate, emotional plea. Romance scams, fake kidnappings, and get-rich-quick schemes may use flattery or perhaps reference your loved ones by name.
- What is this gobbledigook? You don’t have to tread through long, boring legalese to find out what data is being solicited by- and for whom, and for how long. You’re no fool. A trustworthy CTA to collect, handle, and/or process your sensitive data in any way will include consent-to-share information that’s naturally woven into your user experience and easy to read.
- Didn’t I learn about social engineering and other attack tactics in my security training at work? Most companies require their employees to complete a training module with an above-average passing grade at least once a year. You should be able access the materials (some of which have really engaging, relatable content) months after you’ve checked it off your to-do list. Don’t be afraid to earn that gold star for double-checking your security consciousness at work.
- What can I do as a techie? If you work in the technology industry, Geoffrey Fowler of The Washington Post writes, “(your) solutions will always have to keep pace with the new ways our data is being harvested and sold. But just imagine it: We could use technology to protect our privacy, not just invade it.” Privacy is a huge battleground for digital identity, biometrics in particular. Which side are you on?
Maintaining this level of alertness to cyber threats doesn’t need to take anything away from what our cyber lives provide us. We can celebrate technology while protecting it; the two can coexist. After all, technology enables us to quickly and easily organize our lives, make connections, and create “beautiful, seamless, and delightful experiences,” in the words of Airside CEO Amena Ali.
As we close out this month, let’s continue to bring real people together to talk about real cybersecurity, especially long after the ghosts and ghouls get packed away back in the basement. Like mastering defensive driving skills that you’ll use whenever you’re on the road, we can all learn how to notice bad actors and navigate the course of our digital journeys every day, not just in October.
* CISA and NCA offer more basic cyber hygiene practices.