Cybersecurity Culture: Eliminating the Weak Spot
If you found an innocuous looking USB flash drive lying around in some public area, would you pick it up? Would you plug it in?
An experiment performed by the Computing Technology Industry Association (CompTIA) found that 1 in 5 people would plug that sucker right into their laptop. People may act out of curiosity, it may have even been a benevolent attempt to return the USB stick to it’s owner, but in the real world, actions like these often preclude major security breaches.
It’s time to reconsider the role you play in your own cyber safety. Here’s the scoop: in many cases, attackers rely on the user (that’s you) to initiate or spread an attack. An attacker can only send an email, offer a malicious link, or leave a USB drive at a train station. Then, it becomes the fault of the user for opening, downloading, or plugging in. The most commonly exploited vector to compromise a system usually passes right through a human being.
Instead of representing a major vulnerability, the actions of the user could represent another layer of security. Cybersecurity training should be an active, and ongoing part of any security policy. Furthermore, cybersecurity should be represented within a business culture. This sort of security cannot be bought, it can’t be implemented simply, and it’s implementation cannot be reliably measured. It relies on the instinct and actions of the user alone. Only when cybersecurity becomes part of daily business operations will the user base represent a security control that must be defeated by an adversary, rather than a vulnerability to be exploited.