When people do things they shouldn't - and how to stop them

Why do bad things happen to good people? Why are companies and organizations exposed to digital attacks, and can a potential security disaster be prevented? During a "safety lunch" Marcus Nohlberg - Docent and information security researcher with a doctoral dissertation in Social Engineering - gave an interesting lecture on the subject of IT security.

The numbers speak for themself

In 2017, Swedish socially critical businesses were exposed to 120,000 hostile digital attacks. That’s 10,000 attacks a month! Today, there are certainly more attacks, but the threat is by no means new. It is estimated that as many as 91% of all digital attacks that threaten our online security slip through the safety net due to human error. Of all the incidents, only a little above 200,000 are reported to the police, which indicates that large numbers are left in the dark and never reported.

 

But why is it like this, why are companies and organizations exposed to attacks, and can a potential security disaster be prevented?

How do you get people to do things they shouldn't - and how do you stop them?

Marcus Nohlberg - Docent and information security researcher with a doctoral dissertation in Social Engineering based at the University of Skövde. He says that "People hate security (but want to be safe)". We lives under false notions that the villains are either intelligence agents like James Bond, or part of sophisticated gangs like the ones we see in movies like Ocean’s Eleven, or possibly a super hacker in the form of a rebellious, genius child placed in a dark basement with a flickering computer screen as the only light source.

 

What these intelligence agents, gangs and super hackers want – or we think they want - is to hack NASA and other super important organizations to get hold of top-secret documents, we also believe that they only attack high-ranking and important people of great importance or even people who are extremely rich.

People hate security (but want to be safe).

James Bond, Ocean's Eleven and Super hackers

While these villainous personalities are out there for sure, they are not common, and our imaginations could not be further from the truth. In reality, ordinary people are like "herrings", and our attackers are looking for patterns in a school of herring. These digital attackers can be likened to "seals", who want to eat us ordinary herrings, and they attack when something stands out. A herring that stands out from the crowd is slightly "worse" than average at defending itself and therefore becomes weak.

 

Each herring that is attacked generates a few dollars, in other words, no huge amounts. But if there are enough herrings that become weak and stand out from the pattern, then "every little helps" so to speak. Therefore, it's about being good enough to withstand the seals - not good enough to fight James Bond, the gangs or the super hackers.

 

4 P technology for "herrings"

How do we do that, and is it even possible for an ordinary "herring"? Just because you are good at your job, you may even work with computers, does not automatically mean that you are good at security, says Nohlberg. Security is not an analogue scale - you can’t be a little or very safe - either you are safe, or not. Marcus Nohlberg believes that it is important to keep your devices updated, and to do so immediately when the update comes out - do not wait! You should also make sure that it is easy for, for example, employees to do the right thing when it comes to IT security.

 

Nohlberg also shares his slightly revolutionary thoughts on password management, where the old advice on mixing uppercase and lowercase letters, special characters and numbers, etc. is long overdue. Instead, think of a password sentence that includes "4 P technology":

 

 

• PRACTICAL - easy to write - long but not complicated, no special characters.
• PERSONAL - no quote from a movie, no song lyrics etc.
• PRIVATE - something that is related only to you, not generally known.
• PROVOCATIVE - something sexy, pornographic or filthy that you absolutely do not want to say out loud!

 

Security is not an analog scale - you can’t be a little or very safe - either you are safe, or not.

No Post-it notes!

We are constantly fighting to resist digital attacks today. This feels slightly silly to say, but we also fight to be a little better than everyone else, so that we are not the highest priority on the villain's attack list. Harsh, but true. Last but not least, when you have done everything you can to prevent an attack, do not save your password on a post-it note under your keyboard, of course!

 

 

---

 

 

Visit Marcus Nohlbergs at sexymarcus.com

 

 

---