Cyber Security (for people) Month

Written By Tracy Camp

It is “National Cyber Security Awareness Month”! While the calendar is quite diluted with months and days to raise awareness about just about any aspect of our society, it does bear mentioning.

The mission of UpSight Security is to make ‘Security that works for people’. Implied in that is our belief that much of what we do to secure our digital way of life just doesn’t actually work out because we are after all, people.

I don’t mean to demean the good work of the folks at CISA. They have some solid advice: use Multi-factor authentication (MFA) and keep your software up to date. The problem is that these are not typically choices we as people are really in control of. So raising awareness is good, but my ability to implement this advice is limited. The vendor of whatever website we are using must implement MFA in the first place. And presuming software updates are even available, they only work if the vendor makes it easy to do them automatically…. And that those updates then don’t break or fundamentally change the nature of what is being updated… Nearly nobody gets this right.

And then we get to the tired tropes of “use strong’ passwords”? And my favorite; “Recognize and Report Phishing”? Sure! However, this is basically shifting security to where we as people are weakest! It is just human nature to not be able to remember long and truly random sequences of characters, numbers, and punctuation. Yet alone use a unique password per web site. It's hard enough to recall the username. Certainly I could and in fact do encourage everybody to use a password manager. However… At the end of the day this is just a shell game. You’ve substituted having to recall a huge number of passwords for a single one (maybe!). But as we here at UpSight have demonstrated repeatedly… if you are NOT being asked for a password or a MFA constantly when you launch an application (such as your password manager or web browser)… the underlying authentication token is very vulnerable to being stolen by an info stealer attack. Sadly at the end of the day; most password managers just expose ALL of your passwords at once.

And returning to phishing messages… What exactly makes something suspicious? In the age of ChatGPT, many of the obvious tells of the past are easily removed… spelling, grammar, voice, context.. All are easily adapted by the attacker using the power of AI into the voice and unique communication style of a trusted party.

We people are the weak link in the ‘Cyber Security Awareness’ strategy. It's not our fault, we are born this way! This is the very heart of what we mean by “Security that works for people” - security should work for people; people should be people, not work for security.

As such I would call on you to not just be aware of cybersecurity this month. Be aware of how inadequate our cyber security defenses are and demand better. And on that note, we are looking for partners to hold us to that account by becoming an UpSight Security Design Partner.

Tracy Camp
Previous

Beyond Passwords: Decoding the Vulnerability of Identity Tokens
Next

Recruiting Design Partners