Why the Biggest Cybersecurity Threat of 2022 Might Surprise You
Whether you are a CIO, CISO (Chief Information Security Officer), CRO (Chief Risk Officer), CCO (Chief Compliance Officer) or other IT leader responsible for information security, you are well aware of your organization’s greatest cybersecurity threat. The problem is that threat is not aware, and they are your own staff members.
The first response of any employee learning this truth might be for them to recoil or defensively think “I am not a threat.” If you have a username and password for any computer system, you are security threat number one. But it’s not your fault. You are the number one threat primarily because you are the number one target for hackers. Every time you look at your phone, tablet, or computer screen 99 hackers are looking back at you just waiting for you to be distracted, click a link, download an infected file, or any of the 99 ways the hacker wins.
Hackers Trust You to Trust Them
Those who thrive in the hacking culture understand that you generally trust other people including their email, USB and IoT devices, random texts that appear on your phone, links shared on social media, and that app you think you heard about from a random friend. Hackers are people so you trust them until you learn not to trust them. Unfortunately, the price for your education can be the downfall of an entire organization, the loss of billions of dollars, or your personal bank account being drained, leaving you no money for rent, groceries, car payments, etc. That is a high price for all of us to pay because you trusted a hacker.
It is human nature to trust other humans. Many of us learn to trust strangers through a multitude of business and personal interactions which is unlikely to change. However, hackers have patterns and to protect yourself, your family, your coworkers, and your organization you can learn to identify the patterns before your bank account is drained. Doing so requires attention and effort on your part, a requirement that hackers understand, after all, attention is not free that’s why parents and teachers say pay attention.
Being too busy to pay attention means that it is easier to just trust that email, connect to a random public WiFi signal, or just open that random text from a number you do not recognize. Hackers are counting on you not taking the time to learn their patterns. That is why they are thriving today. Hackers take the time to learn about your patterns, your habits, and your trust levels. However, their education requires your cooperation.
You cooperate with hackers every time you use the same username and password for more than one system, every time you click the link in some random social media post or email promising to extend your warranty, pay you to take a survey, or verify your delivery information to avoid shipping delays. You also cooperate with hackers every time you click on a random text message, plug in an external USB, IoT, or other device, use the default settings on your home WiFi, or check your personal email from a work computer.
Unfortunately, nearly every person reading these words does or has done one or more of the things listed above. To understand the potential threat scale you represent, apply the “Lewis Cube,” something my teams named for me some time ago as a way to demonstrate the real and potential threats to you and your organization. Applying the cube is simple. Multiply your link clicking, text clicking, personal email, WiFi, and IoT habits etc. times the number of people in your organizing, then cube that number (X to the third power). With X to the third you can begin to see why you are security threat number one. The resulting number represents the number of threat vectors created by people with usernames and passwords in any organization.
For example, a 100-person organization with only five bad habits per person would equal 100 x 5 (cooperating events above) cubed (3) so 500 to the third which equals 125 Million threat vectors for hackers to exploit, in an organization of just 100 people. Now you can see why your CISO, GRC Officer, and the rest of the security team seem so edgy. Yes, that number seems unimaginable. After all you are just skipping one security rule, opening one weird email, replying to one random text and as far as that WiFi thing goes, who wants to use your home WiFi anyhow, right? That is exactly what the hackers know about you. You will skip one rule, open one text, or ignore one best practice until your bank account is empty. Remember, 99 hackers looking back at you every time you look at a screen. One of them will see you skip that rule, then they are in, and that is all they need.
Some readers look at the Cube number of 125 million threat vectors for a 100-person organization and think that number is too high, there is no way the threat count could be 125 million. My only question to those readers is, how many hackers are trying to steal your data right now? While I have said 99 of them are looking back at you every time you look at a screen, the only legitimate answer is you do not know, and the hackers know that about you too.
Other readers, those in the security community for more than a few weeks, see the number 125 million and think that number is too low. Many people in the security community would say the number is closer to infinity because new hackers are born into cyberspace every minute of every day. The reality is that no one knows for sure and that is the point. You are the first and best line of defense against every new threat born into cyberspace in the last 10 second. You have the knowledge, skill, and power to stop them all, as long as you have the will to pay attention and resist the temptation to just click here.
As I crafted this post, I received 87 random emails to my work and personal email accounts, including three random invitations on a professional networking site and two random texts with a “click here to open” message. These are the potential threats that made it through very good IT services deployed to detect and prevent malware, spam, virus, and other threats from reaching my screen. If 87 of these potential threats made it through the gauntlet of protection software and services currently deployed to protect me, an IT professional, just imagine how many potential threats were targeted at me. The same is true for every person reading these words.
So how does a person with a username and password move from security threat number one to some lower threat level? The three-step answer seems too simple, but it is highly effective. To move out of the number one security threat position, you need to Learn, Do, Speak. First learn hacker patterns and habits through qualified training or your IT services partner so that you recognize potential threats. Developing those skills requires more attention than effort. Once trained you will know what to do, which is the next step.
While paying enough attention to learn how to spot the patterns of hackers is a great start, applying what you learn, or the actual doing is key to protecting yourself and your organization. Doing means pausing long enough to evaluate an email, a text, or a professional invitation to join some random group. Finally, you have to speak, as in speak up when you think something is a potential threat. Hackers count on your silence. They know that you do not want to admit you were fooled by their email, text, etc. and are likely to sit quietly in the corner while they use your username and password to steal from your organization. The only way to stop hackers is to speak up. Every IT, Security, and Risk leader reading this is nodding their head yes. IT alone cannot protect you. You are responsible for helping IT to protect you and everyone else in your organization.
As the number one security threat once again in 2022, you can also become part of the number one alerting and defense system. There are millions of hacker threats directed against you and your organization and while losing your paycheck to a hacker might hurt, imagine the pain if your actions caused everyone in your organization to lose their paychecks. Your actions to learn, do, and speak reduce the odds that any potential hacker threat causes damage to you or your organization to nearly zero.
That’s right, you can become part of the solution to stop hackers now. Knowledge and action are amazing defenses against hackers. Protect yourself, your family, your organization, and the rest of us by learning, doing, and speaking.
Your organization could be vulnerable to multiple cybersecurity risks. To learn more about how to protect your organization, let iT1 perform a Cybersecurity Risk Assessment.
Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.
<< Back to Resources