Channel your best Alex Trebek voice: According to TechTimes, 70 percent of employees report not truly understanding this topic, which deals with — among other things — reasons to not put your password on a sticky note.

What is … cybersecurity?

Unfortunately, the above statistic is not hard to believe. This is significant since, if we look at the U.S., we live in a world where 81 percent of adults have a smartphone and that same percentage are online in some capacity every single day. It’s really not all that astonishing if you think about it. Most of us have a computer in our pocket at all times, regularly bleating out the siren call of a new Facebook notification or breaking news story.

To circle back, the truly disturbing figure is the 70 percent that do not have a grasp on cybersecurity. That’s 70 percent of employees presenting significant risk to their organizations, and usually doing so with no malicious intent. This is a gaping knowledge gap that is being exploited by cybercriminals right now, yet as a society, we are woefully behind on education.

It isn’t for lack of trying, though.

Playing the Google search predictive-typing game reveals common cybersecurity training queries for everyone from high school students to veterans to lawyers. That’s a real potpourri of roles, but the diversity indicates that security awareness, education and skills are not limited to the domain of so-called experts. Security is a team sport.

Security Knowledge Is in Jeopardy

If you couldn’t guess from the first sentence of this blog, a great example of this knowledge gap was recently revealed on Jeopardy. If you’re keeping up with the Jeopardy “Greatest of All-Time” competition, you’re aware of the infamous brick wall that was the “Cybersecurity” category. James Holzhauer, Ken Jennings and Brad Rutter — three geniuses in their own right — didn’t just incorrectly respond to the two missed prompts, they didn’t respond at all. None among them were even able to hazard a guess at the $600 question:

“Companies consider cybersecurity when instructing employees with a policy on BYOD, short for this.”

Or the $1,000 question:

“Beware of these types of programs that track every stroke you make while typing in an effort to glean your password.”

Do you know?

As a reader of SecurityIntelligence, you most likely do, but if not, they are bring-your-own-device and keylogging, respectively.

5 Cybersecurity Terms to Become Familiar With

Those are not particularly advanced topics either. In particular, anyone who uses a personal device in the office is aware of BYOD. Let’s consider that point No. 1 on a list of cybersecurity terms everyone should know.

1. Bring-Your-Own-Device (BYOD)

BYOD is a policy in which employees can use their personal devices to do work either in the office or remotely. This is a great way to boost productivity since using your own device is a lot more intuitive than learning a new one provided by corporate.

But there is a potential dark side to BYOD. Non-work apps a user chooses to download to their device can present malware concerns, and since this is a personal device, it may be assumed that there is little to be done to prevent this.

Luckily, unified endpoint management (UEM) and mobile threat defense (MTD) platforms exist to do just that: give administrators the power to block corporate access from those employees that choose to peruse risky apps and websites.

2. Single Sign-On (SSO)

Have you ever gone to log in to multiple applications throughout the week and found yourself face to face with the same login page time and time again? That is a single sign-on (SSO) landing page.

The idea of single sign-on is that once you log in to a site or database, you’ll remain logged in as you navigate to other pages or applications. This saves you from having to remember dozens of passwords and inputting those passwords on each new site or app you access.

The goal is to keep employees from covering their desks in sticky notes and proudly displaying easily stolen credentials to anyone who happens to walk by.

3. Phishing

For those not in-the-know, phishing is not a typo. In fact, there is a good chance “phishing” is discussed more often than “fishing” these days since TechRadar reported that 1 trillion phishing emails are sent every year.

What is phishing? Phishing is the act of sending fraudulent emails purported to have come from a reputable source in an effort to dupe individuals into revealing passwords or other sensitive information. Twelve percent of employees open phishing emails, but luckily the true risk is not whether an employee opens the email, but whether they click the link therein. Only 4 percent of employees end up clicking the link.

Overall, this is good news. However, there are 3.489 billion people in the worldwide labor force and 1 trillion phishing emails per year. That means that in a worst-case scenario where everyone in the labor force receives at least one phishing email per year, 139,560,000 people are clicking a phishing link. That is not insignificant.

Organizations and individuals can look to MTD tools such as Wandera to ensure they are protected in the off chance someone clicks a phishing link and hits a suspicious landing page.

4. Man-in-the-Middle (MitM)

Next is an attack vector that is equally malicious and certainly stealthier. The stealthiness is not proportional to an employee’s security knowledge, either.

Have you ever been in the airport, gone to connect to Wi-Fi, noticed two different networks tied to the airport, and went ahead and rolled the dice on which one would work?

The choice is a bit more important than Auntie Annie’s Pretzels versus Pinkberry. You’ve potentially opened yourself up to a man-in-the-middle (MitM) attack — a type of cyberattack where a malicious party intercepts communication between two or more parties over a network that was assumed to be secure. Public Wi-Fi is a common culprit, as it’s easy to disguise a risky network as a trusted one simply by creating a similar-sounding network name.

Once an unsuspecting user connects, they get the internet connectivity they had hoped for, but now every site they visit or email they send is logged by an eavesdropping bad actor. There is hope, of course, as organizations can, again, vaccinate themselves with an injection of MTD and UEM.

5. Multifactor Authentication (MFA)

If you’re like me, you have a dozen or so unread iMessages with one-time codes, generated by the Ghosts of Logins Past. Those codes are one example of multifactor authentication (MFA). As we move into the future of identity and access management (IAM) with adaptive and risk-based access, this MFA concept has been expanded to include biometrics such as fingerprint matching as a second factor beyond the entering of a PIN or password.

Whether you’re an enterprise looking to add an additional layer to verify whether a user is who they say they are, or you’re simply a consumer hoping to protect your online banking info, MFA is largely touted as an essential baseline for security peace of mind.

Security Knowledge Should Be Essential

To reiterate, it doesn’t matter who you are. Whether you’re the CEO of a multinational corporation or a college kid setting up a Gmail account, proper cybersecurity hygiene should be as essential as understanding the rules of the road or knowing how to recognize a scam.

Learn more about the benefits of digital trust

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read