Channel your best Alex Trebek voice: According to TechTimes, 70 percent of employees report not truly understanding this topic, which deals with — among other things — reasons to not put your password on a sticky note.
What is … cybersecurity?
Unfortunately, the above statistic is not hard to believe. This is significant since, if we look at the U.S., we live in a world where 81 percent of adults have a smartphone and that same percentage are online in some capacity every single day. It’s really not all that astonishing if you think about it. Most of us have a computer in our pocket at all times, regularly bleating out the siren call of a new Facebook notification or breaking news story.
To circle back, the truly disturbing figure is the 70 percent that do not have a grasp on cybersecurity. That’s 70 percent of employees presenting significant risk to their organizations, and usually doing so with no malicious intent. This is a gaping knowledge gap that is being exploited by cybercriminals right now, yet as a society, we are woefully behind on education.
It isn’t for lack of trying, though.
Playing the Google search predictive-typing game reveals common cybersecurity training queries for everyone from high school students to veterans to lawyers. That’s a real potpourri of roles, but the diversity indicates that security awareness, education and skills are not limited to the domain of so-called experts. Security is a team sport.
Security Knowledge Is in Jeopardy
If you couldn’t guess from the first sentence of this blog, a great example of this knowledge gap was recently revealed on Jeopardy. If you’re keeping up with the Jeopardy “Greatest of All-Time” competition, you’re aware of the infamous brick wall that was the “Cybersecurity” category. James Holzhauer, Ken Jennings and Brad Rutter — three geniuses in their own right — didn’t just incorrectly respond to the two missed prompts, they didn’t respond at all. None among them were even able to hazard a guess at the $600 question:
“Companies consider cybersecurity when instructing employees with a policy on BYOD, short for this.”
Or the $1,000 question:
“Beware of these types of programs that track every stroke you make while typing in an effort to glean your password.”
Do you know?
As a reader of SecurityIntelligence, you most likely do, but if not, they are bring-your-own-device and keylogging, respectively.
5 Cybersecurity Terms to Become Familiar With
Those are not particularly advanced topics either. In particular, anyone who uses a personal device in the office is aware of BYOD. Let’s consider that point No. 1 on a list of cybersecurity terms everyone should know.
1. Bring-Your-Own-Device (BYOD)
BYOD is a policy in which employees can use their personal devices to do work either in the office or remotely. This is a great way to boost productivity since using your own device is a lot more intuitive than learning a new one provided by corporate.
But there is a potential dark side to BYOD. Non-work apps a user chooses to download to their device can present malware concerns, and since this is a personal device, it may be assumed that there is little to be done to prevent this.
Luckily, unified endpoint management (UEM) and mobile threat defense (MTD) platforms exist to do just that: give administrators the power to block corporate access from those employees that choose to peruse risky apps and websites.
2. Single Sign-On (SSO)
Have you ever gone to log in to multiple applications throughout the week and found yourself face to face with the same login page time and time again? That is a single sign-on (SSO) landing page.
The idea of single sign-on is that once you log in to a site or database, you’ll remain logged in as you navigate to other pages or applications. This saves you from having to remember dozens of passwords and inputting those passwords on each new site or app you access.
The goal is to keep employees from covering their desks in sticky notes and proudly displaying easily stolen credentials to anyone who happens to walk by.
3. Phishing
For those not in-the-know, phishing is not a typo. In fact, there is a good chance “phishing” is discussed more often than “fishing” these days since TechRadar reported that 1 trillion phishing emails are sent every year.
What is phishing? Phishing is the act of sending fraudulent emails purported to have come from a reputable source in an effort to dupe individuals into revealing passwords or other sensitive information. Twelve percent of employees open phishing emails, but luckily the true risk is not whether an employee opens the email, but whether they click the link therein. Only 4 percent of employees end up clicking the link.
Overall, this is good news. However, there are 3.489 billion people in the worldwide labor force and 1 trillion phishing emails per year. That means that in a worst-case scenario where everyone in the labor force receives at least one phishing email per year, 139,560,000 people are clicking a phishing link. That is not insignificant.
Organizations and individuals can look to MTD tools such as Wandera to ensure they are protected in the off chance someone clicks a phishing link and hits a suspicious landing page.
4. Man-in-the-Middle (MitM)
Next is an attack vector that is equally malicious and certainly stealthier. The stealthiness is not proportional to an employee’s security knowledge, either.
Have you ever been in the airport, gone to connect to Wi-Fi, noticed two different networks tied to the airport, and went ahead and rolled the dice on which one would work?
The choice is a bit more important than Auntie Annie’s Pretzels versus Pinkberry. You’ve potentially opened yourself up to a man-in-the-middle (MitM) attack — a type of cyberattack where a malicious party intercepts communication between two or more parties over a network that was assumed to be secure. Public Wi-Fi is a common culprit, as it’s easy to disguise a risky network as a trusted one simply by creating a similar-sounding network name.
Once an unsuspecting user connects, they get the internet connectivity they had hoped for, but now every site they visit or email they send is logged by an eavesdropping bad actor. There is hope, of course, as organizations can, again, vaccinate themselves with an injection of MTD and UEM.
5. Multifactor Authentication (MFA)
If you’re like me, you have a dozen or so unread iMessages with one-time codes, generated by the Ghosts of Logins Past. Those codes are one example of multifactor authentication (MFA). As we move into the future of identity and access management (IAM) with adaptive and risk-based access, this MFA concept has been expanded to include biometrics such as fingerprint matching as a second factor beyond the entering of a PIN or password.
Whether you’re an enterprise looking to add an additional layer to verify whether a user is who they say they are, or you’re simply a consumer hoping to protect your online banking info, MFA is largely touted as an essential baseline for security peace of mind.
Security Knowledge Should Be Essential
To reiterate, it doesn’t matter who you are. Whether you’re the CEO of a multinational corporation or a college kid setting up a Gmail account, proper cybersecurity hygiene should be as essential as understanding the rules of the road or knowing how to recognize a scam.
Learn more about the benefits of digital trust
Former Product Marketing Manager, IBM Security Guardium Insights for IBM Cloud Pak for Security