January 25, 2021

Call to action: Raising security awareness

This article is intended to encourage public discourse about security awareness and work together towards fixing the Internet. No security tool will solve the problem, we need a shift in mentality to do that.

Call to action: Raising security awareness

Like all significant changes in society, we can only do it one small step at a time.  We have to educate the public to take digital hygiene seriously by introducing new good habits and eliminating bad ones. At the end of this article we'll provide several actionable pieces of advice for what you, the reader, can do to help us fix the Internet.

Why is this a problem?

Unfortunately, the awareness about IT security issues is relatively low everywhere, so as a startup trying to make the Internet a safer place, it's crucial for us that people understand the ramifications of information security incidents and how data breaches can negatively impact their everyday lives.

Don't get us wrong; we don't want to sound too alarmist, nor want the Internet to feel like a maximum-security prison. Still, we need to find the right balance between usability and security to reduce security incidents' impact to an acceptable level. Perfect security is impossible, and there will always be risks as long as computers are interconnected.  It's everyone's responsibility to figure out what kind of risks they are willing to accept.

The truth is most companies don't take security seriously until a disaster happens. They don't realize the costs of a data breach far outweigh the costs of doing security properly. It doesn't end in monetary costs either; it affects reputation and trust as well, which are hard to put a price tag on.

Most of us were born when Internet wasn't a thing or didn't pose any danger. So we were never taught about its risks, and it reflects deeply in our society. Almost no one is treating internet threats seriously. We don't think of the consequences of clicking a random link that could take us to the darkest places on the Internet because we sense no physical harm. Our brains aren't wired to treat Internet threats as real.

When we ask ourselves the worst thing that can happen, we probably think about computer viruses or the inability to use the computer. We don't think of those pains in the physical realm; we perceive them as digital-only. Therefore they're only virtual pains that can be stopped by shutting down the computer.

If people don't realize something can be dangerous, they treat it as harmless and ignore the dangers that can be caused by it. This article aims to educate people unaware of IT security of the real risks of their actions online. And make them understand that clicking a link can have severe consequences in their real-life as well. Plenty of times, security incidents have emerged from the virtual world and have caused severe damages in real-life, including deaths.

What already happened

With our lives migrating online, not only the wars between world powers but also common crimes like robberies, defamation, sexual offenses, blackmail, frauds, and others have become digital too. Next, we'll list several recent security incidents that have caused a great deal of harm in real-life to show that it can happen to anyone. You don't need to be a secret spy agent or an influential politician to be attacked. Regular people are often victims too.

  • Vastaamo - the Finnish psychotherapy service was breached in 2018 and 2019, and attackers managed to steal extremely sensitive information about the most vulnerable people. In September 2020, the attackers asked the company for ransom, which Vastaamo didn't pay. They also started sending extortion messages to victims asking for payment to prevent their data from being published. Vastaamo set up a crisis hotline to help victims deal with the consequences of this incident.
  • Equifax - one of three credit card agencies in the USA entrusted to collect confidential information on hundreds of millions of individuals was breached in 2017 by the Chinese government. The worst aspect for consumers regarding this is that they can't opt-out of data collection. Even though the leak was never made public, the incident became a massive scandal. Equifax shares dropped 13 percent, and lawsuits are still ongoing.
  • Twitter - in July 2020, 130 high-profile Twitter accounts were compromised by few teenagers to promote a Bitcoin scam. They took over Twitter's administrative tools, so there was nothing those users could do to prevent it. Despite the relatively small financial impact, security experts expressed concern because foreign governments could do the same, causing much more harm. The situation was dire before the 2020 United States presidential election when most politicians communicated with the general public using Twitter.
  • University Hospital of Düsseldorf - in September 2020, a hospital in Germany became the target of a ransomware attack. Reports suggested the real target was supposed to be the affiliated university. The incident forced the hospital to close the emergency department, which resulted in a gravely ill patient being sent to a different hospital, delaying treatment by an hour. The patient died, and the story made it in the news as the first possible death caused by ransomware. Legal investigations have later found out that the patient would probably die even if the attack didn't happen.  This case highlights the dangers that can be caused by attacking hospital systems, and we will probably have more similar situations in the future if we don't act.
  • SolarWinds - also, in 2020, a massive attack unlike anything seen before penetrated multiple parts of the United States government, leading to a series of data breaches. SolarWinds was the first company that announced a foreign nation had inserted malware into its software. The incident got associated with the SolarWinds name. But they were only a small part of the entire attack. The investigations are still ongoing, and we don't fully understand the ramifications of an incident of such magnitude, which some politicians describe as an act of war. The collected evidence points towards Russia's Intelligence Service agency SVR. The attack lasted about 8-9 months, affected tens of thousands of organizations, and breached probably millions of computers.

All of the above attacks have caused real-life damages with ramifications of those consequences on our society. Just because the organization is dealing with sensitive data doesn't mean they do take security seriously.

What can you do

Like any substantial problem in the world, there's no silver bullet to fix it. But everyone can take steps in the right direction to help with it. We, security professionals, cannot solve the issue without support from the public. Healthcare professionals cannot keep public health at acceptable levels if most of the population does not practice hygiene. The only way to fix the Internet is to do it together and to think about online security as of our digital well-being.

With that said, we have come up with a list of actions people can take to kickstart the public discourse of what needs to be done and even start solving it.

Applies to List of actions
Organizations • Run penetration tests regularly and after releasing a new application
• Minimize the attack surface
• Rethink your security budget to prioritize processes over tools (i.e., teach awareness instead of buying a new antivirus software license)
• Prepare an incident response plan
Security professionals • Share your expertize with the world (eg. write blog articles)
• Give your coworkers security advice
• Build a "secure by default" mentality in your organization
• Don't blame employees for the failures. Educate instead
• Encourage coworkers to report their own mistakes
Developers • Learn best security practices for your dev stack
• Follow bug trackers for the software you use to catch vulnerabilities early
• Patch often and make sure the patches are applied
• Make it difficult for end users to do dangerous actions
• Implement the concept of "zero trust" where it makes sense
Media • Write stories about security incidents if you don't already
• Don't focus only on high-profile attacks
• Talk about the average Joe. Most people think they are not important enough to be hacked
End users • Invest some time in improving digital hygiene
• Sacrifice a little convenience for more security
• Adapt new "digital health" habits
• Treat online security as your virtual health. It reflects on your well-being
• Be careful what you download and where you click
• Update your devices often

What did we do

We started publishing security tips in plain English on our website and all social media channels to increase awareness from our side. They should be easy to understand for people who don't know much about IT and security and want to protect their online assets.

In addition to that, we share almost daily about 5 security related blog posts or news articles for security professionals on Twitter, Mastodon, Facebook, Telegram and even the raw RSS feed to add to your news reader application.

What can we do for you

We can help your organization identify and fix risks associated with IT systems by simulating real-world attacks. We are using the same techniques an attacker would use to target your organization. Using the latest threat intelligence, we focus on the areas that can cause the most significant business impact. We are not selling you the penetration testing report only. We are selling you the knowledge needed to prevent similar risks in the future to stay one step ahead of the attackers.

Lastly, but not least, if you have suggestions for us, are interested in a partnership/collaboration, have an assignment for us, or anything in between, click the button below to get in touch with us: