People don’t take cyber-security seriously yet because there has not been a major event. There will be: a “cyber 9/11” is all but inevitable. If somebody turned the internet off for a week — and it’s possible — people might take more notice. But my research showed that fear doesn’t work as a deterrent. Even when we fully understand the risks, it doesn’t change our behaviour. We still download files and apps without knowing where they come from, and plug in USB sticks that haven’t been virus scanned. Everyone knows that their company has a cyber-security policy, but very few employees are aware that they’ve signed it, let alone understand it. They very rarely follow it. But then most companies don’t audit the policy or keep a record of how many violations there have been.
A simple example of bad practice is storing personal files on a work laptop. If you store a lot of information about yourself in one place, a criminal can build a profile around you. This will greatly increase the chances that they can crack your passwords or pass security checks to access company networks and sensitive information.
Cyber-security is linked to physical and operational security, so we have to look at it holistically. One of the easiest ways to hack a company is to go into the office and insert a USB drive containing malicious code into a network-connected machine. But it’s not just about physical protection.
A significant threat today is “social engineering”: psychologically manipulating people so that they give up confidential information. Social engineering is far more successful when the aggressor holds information about you. Somebody might call you claiming to be from your bank and ask for your security information. Or they might call you at work and say they’re from the IT department, and ask you to install an update from an email they’ve sent. They can find your phone number and the real name of someone in IT on the internet, and they can link their story to corporate events publicized on LinkedIn or Twitter to develop plausible and convincing cover stories. As soon as you click on the link, that’s it. The botnet virus is in and it can spread throughout the company network.