Skip to content
Naked Security Naked Security

Welcome to Cybersecurity Awareness Month 2016!

STOP. THINK. CONNECT. Simple and effective advice for National Cybersecurity Awareness Month.

It’s October, and that means it’s Cybersecurity Awareness Month (CSAM).

In the USA, it’s not merely CSAM, it’s officially National Cybersecurity Awareness Month, an awareness project aimed at ensuring that everyone has “the resources they need to stay safer and more secure online.”

In 2016, as in previous years, the overall message of NCSAM is a simple one to remember:

STOP. THINK. CONNECT.

That’s actually excellent advice for any online activity, whether that’s uploading snapshots, signing up for a new service, clicking through to a website, or downloading the latest app.

Many cybercrooks have learned to squeeze just hard enough to get us to take needless risks online, without pressing so hard that we get suspicious and turn away.

For example, ransomware often arrives in emails that claim to be invoices or requests for quotation, giving you just enough reason to open the attached document, because it’s similar to the sort of material you receive regularly at work, but not enough to realise that it doesn’t quite add up.

Or the crooks send you booby-trapped content that pretends to cover a topic that you are interested in, such as a research paper or a news report. (Your personal interests can probably be found on Facebook; your work interests on LinkedIn.)

Likewise, a recent strain of Mac malware called Eleanor, which tried to hook your webcam up to the Dark Web, posed as a free document conversion utility.

Instead of using fear, or high-pressure techniques, the crooks relied on offering a handy utility that claimed to solve a common hassle for Mac users, knowing that anyone who tried it and deleted it later, without any obviously bad side-effects…

…would nevertheless be stuck with the malware it delivered, which left behind handy intrusion and hacking tools that the crooks could come back to later.

Sometimes, just a few minutes, or even a few seconds, spent asking yourself, “Is this really a good idea?” is enough throw a spanner in the infection process.

In real life, it’s perfectly common to look before you leap, because leaping involves real physics, and real forces such as gravity.

Online, it’s easy to get into the habit of relying on some equivalent of [Undo] to try to “unleap” later on if things go wrong.

But “unleaping” is usually too late to unleak data, to unreveal your password, to unsend zombie spam, to uninfect visitors attacked by your hacked website, and so on.

If you’re really unsure about attachments, emails, phone calls or other requests to get to take some kind of online action, ask someone around you for advice – but make it a genuine, real-world friend: someone you already know, and like, and trust. Don’t contact the person who sent you the email to ask them to vouch for themselves; don’t rely on calling back the phone number they gave you; and don’t use web links that they provided, either.

Of course, STOP | THINK | CONNECT. doesn’t apply only to those of us who consume online services.

It applies just as strongly to organisations that provide online services and hope that we’ll connect to them.

2016, for example, is shaping up to be the Year of The Last Year’s Data Breach, or even worse, as we hear news story after news story of massive data breaches that happened years ago.

Let’s make sure that 2020 isn’t the year that is remembered as the Year We Found Out About The Breaches of 2016 by acting now to deal with all those security improvements we haven’t quite got around to yet.

If we are more diligent about STOP | THINK | CONNECT before we put precious data where crooks can get at it, we’ll help everyone, including ourselves, to stay safe online.


3 Comments

I have a Sophos anecdote. I work for a public agency, where we have programs for the public. A local hospital network put on a program. The programmer needed help connecting to our public network. His laptop required a login. He complained to me that they have to change their password every 3 month, and they can’t use one of their last five passwords. I rhetorically told him that if I can get his password, I can get his medical records. When the computer booted, Sophos Enterprise was running on. I don’t know if Sophos enforces strong and regular password changes on their customers, or if the IT staff does, but it’s nice to see security taken seriously and done correctly.

Good leaping analogy. Too frequently Internet users view the virtual world as just that – “virtual” or segregated from reality. The notion that what happens online stays online is what leads to identity theft, cyberbullying, I try to teach people that saying something online, whether posted to social media or sent unencrypted, is akin to shouting it on a street corner. Anyone listening gets the message, whether they are the intended recipient or not.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?