I picked up on this rather alarming comment in an article relating to last week's Tesco Bank incident. Loosely interpreted, one could be forgiven for thinking that there is no solution to this type of attack, save having highly trained, ultra observant consumers who are savvy enough to spot they are about to be duped!
Surely if this is the case, the service provided by the bank is 'not fit for purpose' ? We are increasingly pointing the finger of blame at what has been described, somewhat unfairly I would contest, as the 'hapless user', however in this scenario, it would seem that the bar that constitutes haplessness has been set pretty high?
Indeed just this week I have had two personal emails that have roused suspicion. One with an attached invoice from a company that I have used, but not recently. This was followed later in the day by an apology from the sender, who admitted that they had been hacked and that the said email should be ignored.
The second managed to rouse duel suspicions since it came into a joint email account used by both my wife and I. It related to a hotel reservation for two that I was purported to have made for this coming Friday!
I could see it coming, why was I going to Nottingham, what's more why had I reserved a room for two people? Fortunately I have an alibi, so I am off the hook on this one, however why I had received the said reservation remains a mystery to me.
I have subsequently examined the message and am still unsure quite what is behind it. No matter, it is an example of how we have reached a stage where by what we receive may not be quite what we are expecting. In both situations something was not quite right, however with the increasing sophistication of phishing attacks we are all going to need to be super sleuths in order to spot the sort of methods used to execute the Tesco attack. Which begs the question, why does so little creative energy get applied to the educational side of cyber security?
The stark admission that prompted this blog, has to send out a strong signal, that if we just rely on technology we are going to get found out big time!
My hunch is that those who really get cyber security quite naturally lean towards technical rather than social solutions. Cyber security is inherently technical and by large doesn't draw in the creative talent required to make imaginative, effective and engaging content that brings the message home.
One exception I have recently encountered is our partner Popcorn Training who blend a deep technical understanding with humour and a creative eye. This is born out by the fact that they are labelled as visionaries on the Gartner Magic Quadrant for Security Awareness Training.
My guess is that an increasing amount of energy will be focused on general consumer awareness. Getting us all to better understand the risks associated with what for most is an abstract concept. That said there is a limit to what we can expect the consumer to know and understand. Placing the burden of responsibility onto the end user for a problem the specialist's can't solve is patently never going to wash, unlike my alibi for an illicit weekend in Nottingham!
“The only thing that can be truly effective is a very diligent end user who knows what to look for. That means all the banks can do is offer tips on how to spot the fake sites collecting user data that the malware creates and hope the user is diligent enough to learn and watch for signs of the bad guys at work."