Sponsored: Building a Security Mindset: Lessons from the RSA Conference 2015
The RSA Conference is a landmark event in the calendar of global security professionals with over 30,000 security professionals converging at San Francisco this year. RSA, the security division of technology giant EMC, is a leader in information security.
The practice and science of Information Security is however in a state of crisis of sorts. Despite security technologies in place, hackers have attacked many companies and have even brought some to their knees. From shadowy criminal organisations to nation states, everyone is building cyber attack capabilities either to profit from attacks or to cause damage.
Take some big examples from recent times. US retailer Target lost over 40 million customer credit and debit card numbers to hackers in 2013. The hackers sold this data to card counterfeiters who then pasted this data on fake credit cards using magnetic stripe encoding machines. According to security blogger Brian Krebs, who detailed the extent of the attack and the cost implications, the hackers may have sold around 1-3 million of the 40 million stolen cards for around $27 each and generated $53.7 million in income. The attack cost banks and Target hundreds of millions of dollars in damage.
We also read regular reports of Chinese hackers attacking Indian government facilities. Even as I reached the RSA Conference, my mailbox had an e-mail from Hyatt asking me to change my password since Hyatt found that some accounts were accessed by an unauthorised individual using member usernames and passwords.
It’s no longer about just companies alone. It affects each one of us. It affects you and me. If your credit card data was hacked as part of the Target hack, there might have been inconvenience and cost for you as an individual too. And the problem has now reached staggering proportions. You and I can’t just depend on our banks, service providers or the government to ensure security.
At the RSA Conference, the experts said that the usual approach to security had run its course. Instead of just looking for technology to solve the issue, experts challenged the industry to relinquish its legacy approaches to combating cyber attacks. The key theme of the RSA Conference was ‘Change’ and mainly dealt with a change in mindset towards security, not just about increasing the height of the walls or the depth of the moat around castles (business organisations), but looking at newer and smarter approaches.
How does that work for us as individuals?
A mindset change really means being security-conscious. For one, it could start with reading the security mailers sent by your bank—often we ignore them thinking, “This won’t happen to us.” Then it is passwords. A few years ago, perhaps we had 2-3 passwords to juggle with—your computer, e-mail address and perhaps one Internet banking login credentials. Today, you have multiple apps and services on your phone, bank login passwords for banking, credit cards; social networking ranging from Facebook to Twitter to LinkedIn to Instagram, and more; passwords for your utilities like power, gas, water supply, housing society portal. And there’s more. And some more. We truly live in a digital age and each of these are points of failure if the organisation concerned behaves like Target did and doesn’t leverage the best in security. But if you use the same password, imagine the havoc if a hacker manages to get into one system and then systematically takes over your digital identity.
True, password management isn’t easy. But that doesn’t mean that you have the same password for 20 different services. Use a password management app or tool.
Then there’s social engineering. Just as much as companies use security technology to protect customers and themselves from hackers, the bad guys use technology to spin larger and more attractive webs to trap unsuspecting users. At the RSA Conference, one senior RSA executive told me that when he moved from the US to Switzerland as part of his job, he changed his location on his LinkedIn profile and within hours he got an email purportedly from his bank, claiming that there were problems in a funds transfer between the two countries and asking him to click a link. Being a security professional he hesitated, even though he himself didn’t believe the email could be from hackers—how could they try a stunt like that so quickly? Yet, he was indeed transferring large amounts of money between the two countries for new housing, etc, but he decided to check with his bank first.
As it turned out, his hesitation and a call he made to the bank saved him from embarrassment and possible financial loss, because the email had indeed come from hackers who use sophisticated tools to harvest such changes on social media and then send customised communication to hack into your accounts. It’s no longer some chap sitting in a slum in Nigeria—these are large criminal organisations that use the best in technology, social engineering skills and have smart experts who try and stay ahead of the security professionals and are definitely smarter than the average user.
Build that security mindset. If unsure, call your bank. Don’t hesitate, because it’s better safe than sorry. And while you may be smart not to fall for such tricks or click links, ensure you protect the weak links too. For instance, older parents, to whom you may give a credit card as emergency protection, but who may not realise that a caller isn’t the bank representative he claims to be but a criminal out to get key data to misuse the card. Educate them and tell them never to reveal such data to anyone.
In fact, if you think that criminals just make calls, you’re mistaken. Smart criminals now use sophisticated Interactive Voice Response (IVR) systems that sound like just the one from your bank, and users feel safer punching in a CVV number than revealing it to an unknown human on the other end of a phone. But the sophisticated system just harvests this data and spews it out to criminals who will sell or misuse the data. Once again, build a security mindset, verify if in any doubt. No bank will ever cancel an account, etc, in case you don’t do something immediately.
Also make sure that when you choose a bank, you pick one that has given importance to a security mindset. Every bank has security technologies because of mandatory rules from the regulator but a mindset is revealed in the communication they send on security, how they try and regularly educate users, etc. For instance, DBS Bank India, part of Asia’s foremost financial services group, DBS Group Holdings Limited, has initiated an awareness programme through its Action against Cyber Theft (ACT) initiative to inculcate a security mindset into general consumers like you and me, in India. Right from sharing simple tips on securing passwords online to sharing lessons on types of cyber crimes, DBS’ ACT campaign is encouraging users to protect themselves from cyber theft using simple steps, through its microsite and also through social media channels.
And of course, banks like DBS also ensure they have technology such as two-factor authentication, where besides a password - you could be asked for a one-time personal identification number (PIN) sent to your mobile phone. DBS exemplifies institutions which have identified security of their consumers as their prime concern, and have gone beyond merely having technologies in place. It kick-started cyber-security awareness programme like ACT whilst establishing itself in the digital banking space to ensure that all internet users are safe and secure while navigating through the digital maze.
Besides banking responsibly, you have to bring in a security mindset into mundane things like dining out too. Refuse to give your PIN to a waiter. Go to the counter and punch in your PIN yourself. It will inconvenience you a bit, but it’s worth it. And then ask for a feedback form or ask to see the Manager and tell them to get a wireless card machine that is easily available now. If they don’t, pay in cash the next time or simply take your business elsewhere. It’s at points like these that your valuable data can be stolen, because criminals will pay lowly-paid staff handsome amounts for customer data.
You can also take cues on how to safeguard your smartphone as an individual or lessons on how to protect your organisation from IT risk from the ACT microsite. You can - check the strength of your passwords on ACT using its engaging and innovative Password Checker tool. All you have to do is type in your password and the checker will promptly show you the number of seconds it would take to get hacked. The microsite also has some important tips for cyber crime victims which also emphasizes on why taking legal action is important. And there are a host of resources available to make sure you are safe in the digital world.
You can never be 100 percent sure of security, but by building a security mindset, you can ensure that the chances of your data hacked are far lower. Let me illustrate—in case you use a steering lock on your car, the chances a car thief will take it are reduced, not because a car thief cannot open that lock. They can open a car door in under a minute and a steering lock in another minute. But that added 60 seconds simply adds to the risk of his getting caught and hence the car thief will move on to the next car where his risk of getting caught decreases. That’s the same way with building a security mindset—the risk of your data hacked comes down. And that’s a good thing in an increasingly insecure world.