With all the anti-hacker technology we have, from multi-factor authentication to routers that monitor all the traffic going in and out, and entire teams of cybersecurity professionals watching who is getting into their networks and what they’re doing, how are hacks still even a thing?
A twofold problem
Well, the problem is twofold. One is that some companies just don’t take cybersecurity seriously enough. A couple of years ago, I gave a talk at a security conference about Equifax, looking back on the breach that happened in 2017, discussing the lessons learned. I had a nice room full of people, but they weren’t there to learn about Equifax because they already knew about all that. What their issue was, was that they couldn’t get their company to implement the simplest of measures to prevent the same thing from happening to them, and they wanted to discuss it with others so that we could figure out a solution for that. It was really eye-opening to hear that that’s the problem.
The other side is that these precautions are useless if people keep falling for phishing scams. Now, that’s basically a people problem. And we are the people who are the problem.
According to Kevin Mitnick, one of the notorious hackers in internet history, “Humans are the weakest link in any security system.”
And I gotta say, I don’t disagree.
What can we do?
All this musing is fine and good for feeling all knowledgeable and stuff. But the point is not for you or me to feel all smart and smug. The point is, what can we do about it, to keep ourselves safer from hacks and scams?
There are a few things. I’ve mentioned a lot of these on this podcast before, but let’s look at these from the perspective of hacks and scams working together, and how you can keep that from happening.
With regard to companies that can’t be bothered to implement security measures, as a consumer, in a way have more power than their cybersecurity pros that they’ve got working in the back room. One of the problems that the security crew faces when they’re trying to get new measures implemented is that cybersecurity itself doesn’t generate any profit for the company, so they’re reluctant to put more money into it. But if a website where you do business doesn’t have some basic security measures, like, say, doesn’t have multi-factor authentication, you can complain about this.
And you can say that you won’t do business with them until they fix it, and that will have an impact. Because if a company is worried about losing customers because of a lack of MFA, they might be inspired to finally allocate some funds to do it.
