CIOs, CISOs (Chief Information Security Officers), CROs (Chief Risk Officers) and other leaders responsible for information security all share an awareness that is rarely stated, at least not directly. You are security threat number one.
Many people reading the last sentence will recoil or defensively think “I am not a threat.” If you have a username and password for any computer system, you are security threat number one. You are the number one threat primarily because you are the number one target for hackers.
Those who thrive in the hacking culture understand that you trust email, you trust USB drives, you trust random texts that appear on your phone, you trusts links shared on social media, and generally you trust other people. Hackers are people so you trust them until you learn not to trust them. Unfortunately, the price for your education can be the downfall of an entire organization, the loss of billions of dollars, or your personal bank account being drained, leaving you no money for rent, groceries, car payments, etc. That is a high price for all of us to pay because you trusted a hacker.
It is human nature to trust other humans. Many of us learn to trust strangers through a multitude of business and personal interactions which is unlikely to change. However, hackers have patterns and to protect yourself, your family, your coworkers, and your organization you can learn to identify the patterns before your bank account is drained. Doing so requires time and effort on your part, a requirement that hackers understand, which means that it is easier to just trust that email, that USB drive, or that random text. Hackers are counting on you not taking the time to learn their patterns. That is why they are thriving today. Hackers take the time to learn about your patterns, your habits, and your trust levels. However, their education requires your cooperation.
You cooperate with hackers every time you use the same username and password for more than one system, every time you click the link in some random social media post or email promising to extend your warranty, pay you to take a survey, or verify your delivery information to avoid shipping delays. You also cooperate with hackers every time you click on a random text message, plug in an external USB or other storage device, use the default settings on your home WiFi, or check your personal email from a work computer.
Unfortunately, nearly every person reading this post does or has done one or more of the things listed above. To understand the potential threat scale you represent, apply the “Lewis Cube,” something my teams named for me some time ago as a way to demonstrate the real and potential threats to you and your organization. Applying the cube is simple. Multiply your link clicking, text clicking, personal email and WiFi habits etc. times the number of people in your organizing, then cube that number (X to the third power) and you can begin to see why you are security threat number one. The resulting number represents the number of threat vectors created by people with usernames and passwords in any organization.
For example, a 100-person organization with only five bad habits per person would equal 100 x 5 (cooperating events above) cubed (3) so 500 to the third which equals 125 Million threat vectors for hackers to exploit, in an organization of just 100 people. Now you can see why your security team seems so edgy and doesn’t seem to sleep well at night. Yes, that number seems unimaginable. After all you are just skipping one security rule, opening one weird email, replying to one random text and as far as that WiFi thing goes, who wants to use your home WiFi anyhow, right? That is exactly what the hackers know about you. You will skip one rule, open one text, or ignore one best practice until your bank account is empty.
Some readers look at the Lewis Cube number of 125 million threat vectors for a 100-person organization and think that number is too high, there is no way the threat count could be 125 Million. My only question to those readers is, how many hackers are trying to steal your data right now? The only legitimate answer is you do not know, and the hackers know that about you too.
Other readers, those in the security community for more than a few weeks, see the number 125 Million and think that number is too low. Many people in the security community would say the number is closer to infinity because new hackers are born into cyberspace every minute of every day. The reality is that no one knows for sure. There are hacker activity tracking firms, organizations, etc. but they only know about the hackers who leave a trail and repeatedly hack. That is another thing hackers know that you do not – how to hide their activity.
As I crafted this post over a two-day period, I received 87 random emails to my work and personal email accounts, inclduing three random invitations on a professional networking site and two random texts with a “click here to open” message. These are the potential threats that made it through very good malware, spam, virus, and other threat detection software applications designed to prevent these threats. If 92 of these potential threats made it through the gauntlet of protection software currently deployed to protect me, an IT professional, just imagine how many potential threats were targeted at me. The same is true for every person reading this post.
So how does a person with a username and password move from security threat number one to some number lower threat level? The three-step answer seems too simple, but it is highly effective. To move out of the number one security threat position, you need to Learn, Do, Speak. First learn hacker patterns and habits through qualified training so that you recognize potential threats. Developing those skills requires more focus than effort. Once trained you will know what to do, which is the next step.
While focusing long enough to learn how to spot hackers’ patterns is a great start, applying what you learn, or the actual doing is key to protecting yourself and your organization. Doing means pausing long enough to evaluate an email, a text, or a professional invitation to join some random group. Finally, you have to speak, as in speak up when you think something is a potential threat. Hackers count on your silence. They know that you do not want to admit you were fooled by their email, text, etc. and are likely to sit quietly in the corner while they use your username and password to steal from your organization. The only way to stop hackers is to speak up. Every IT leader reading this is nodding their head yes. IT alone cannot protect you. You are responsible for helping IT to protect you and everyone else in your organization.
As the number one security threat you can also become part of the number one alerting and defense system. There are millions of hacker threats directed against you and your organization and while losing your paycheck to a hacker might hurt, imagine the pain if your actions caused everyone in your organization to lose their paychecks. Your actions to learn, do, and speak reduce the odds that any potential hacker threat causes damage to you or your organization to nearly zero.
That’s right, you can become part of the solution to stop hackers now. Knowledge and action are amazing defenses against hackers. Protect yourself, your family, your organization, and the rest of us by learning, doing, and speaking.