Security Awareness: Understanding and Appreciating the Risks
All security is personal. The first step towards better personal security is better security awareness. But in addition to awareness, you also need an appreciation of the security risks that are out there.See more episodesPlay
Security Challenges and Risks with Robert Siciliano
See Security Challenges and Risks with Robert Siciliano for a complete transcript of the Easy Prey podcast episode.
Robert Siciliano is a security expert, speaker, and author who has been featured on CNN, Fox News, and the Wall Street Journal. He is the head trainer at Protect Now, which offers cyber security training and solutions, and is the architect of the CSI Protection Certification, a cyber social identity and personal protection security awareness training program.
From Physical Violence to Cyber Violence
Robert got his start in violence and theft prevention. In 1995, personal protection was selling pepper spray, stun guns, and educational self-defense videos. Eventually he moved to live programs teaching self-defense techniques.
He had the ability to accept Visa, Mastercard, and American Express payments for his products and programs. Then he was hacked. The hackers perpetuated thousands of dollars of credit card fraud, which was a huge loss for him.
Robert wanted to know how it happened, so he investigated. Eventually he was able to find some of the people who perpetuated it. He became interested in how they did what they did. And he realized that with the world becoming more digital, personal security is not only about physical violence.
At this point, personal security is violence and theft prevention in both the physical and virtual worlds.Robert Siciliano
His company, Protect Now, provides security awareness training. The trainings are offered online, live, prerecorded, and on-site. They cover cybersecurity, social media security, online reputation management, identity theft protection and prevention, and personal security.
All Security is Personal Security
Security awareness is essential because there are always criminals out there seeking new victims. This might be physical. They might break into your home, assault you on the street, pickpocket you, or knock on your door pretending to be a local alarm company to get you to open the door for a home invasion. It could also be virtual. They might call you pretending to be the IRS or FBI, or hack into a database that has your Social Security Number and open new accounts under your name. In the end, it’s all personal security.
All security is personal. It begins with the individual. Once the individual understands what the risks are and how to protect themselves individually … that’s when they become capable of protecting the data they are entrusted with.Robert Siciliano
Even having better security in business starts with security awareness for individuals. If we know how to protect our bodies, our identities, our money, and our family, we’ll be able to look at what happens at work and see where there are issues. An individual with good security awareness can see that they’re shredding sensitive papers at home and ask why that’s not happening at work. A CEO using “Password123” as their password sets a bad example for the whole company. The front line of all security is personal security.
It Can Happen To You
Most people don’t worry about security awareness because they believe it will never happen to them. They function in a state of denial. But by not learning how to protect themselves or their family, they risk running into trouble and not being able to deal with the fallout.
There is a small percentage of the population whose motivation is only to take, steal, and hurt. Some scammers and crooks will steal anything they can, regardless of value. Security awareness is about recognizing when you’re being targeted, whether you’re walking down the street or reading an email.
In some way, [criminals] are going to be contacting you at some point in your life. When they do, recognize what is occurring so you can do something about it.Robert Siciliano
Trust and Security Awareness
Humans are born needing to trust people to survive. As we grow, we learn to be civil and kind, and most people are civil and kind to us. This process of trusting by default makes us think we can trust most people. If and when we encounter someone who wants to harm us, we often trust them until they actually scam or harm us. Scammers rely on that trust.
You’ve probably heard the phrase “Trust, but verify.” Avoid being overly trustful – verify as much as you can. Say you met someone online that you want to date. These days it’s easy to create a believable fake persona online. Learn as much about this potential partner as you can. Give it a significant amount of time before you open yourself up enough to put yourself at risk.
Don’t blindly trust what you find on Google, either. There are plenty of tricks scammers can use to get fake websites listed on Google, especially if you go past the first few pages of results. Always verify something is legitimate before you give out any information.
They Are Targeting You
Every time the phone rings, an email comes in, or someone knocks on the door, be suspicious. People say that’s paranoia, but Robert disagrees. Paranoia is when someone is completely overwhelmed by the environment and can’t manage to have a functional perspective. Security awareness is recognizing risks and making an educated decision around each incoming communication.
Recognizing risks is scrutinizing that incoming communication and making an educated decision.Robert Siciliano
When the phone rings, you get an email, or there’s a knock at the door, you need to make decisions. How much information should this person get? How much should you give before you verify who they are and what they need it for? The person attempting fraud is good at it – it’s their job. Our job is to process it, notice if something feels wrong, and act.
If something seems off to you, process it. It could be something in their expression, eye contact, body language, or words; it could be something that feels too good to be true. Also do some basic research. Has this phone number been used in other scams? Has this specific wording been used in other scams? What information is it asking for? You can hover over a link in an email and see where it’s trying to take you. Security awareness reduces risk.
By paying attention, being alert, and being aware, you reduce your risk.Robert Siciliano
Security Awareness and Security Appreciation
We’re all aware that it’s a good idea to lock our doors. Yet millions of people don’t. When Robert speaks to groups, he asks how many of the audience locks their doors, and about two-thirds raise their hands. He then asks the rest why they don’t. Some of the more common responses he gets are, “Who’s going to want to come in?” “Nobody will come in while I’m home,” and “I don’t want to live like that, being afraid.”
People think that taking steps to protect your personal security is admitting fear or being paranoid. But security awareness and taking steps to be secure isn’t about fear. It’s about taking control and managing risk. You don’t put on a seat belt because you’re paranoid about getting in a car crash. You do it because it’s the smart thing to do, and if something does happen you want to be able to take control.
There’s nothing about security that has anything to do with living in fear. Security is about being in control, taking a level of control, or managing risk.Robert Siciliano
Instead of locking their doors and doing something to manage risk, most people function in denial. Denial is comfortable and easy. They don’t want to think about the risks. Security awareness is understanding that the risks are out there. Security appreciation is actually putting systems in place.
Evolving Security Awareness to Appreciation
Let’s take a home as an example. Security awareness would be knowing that it’s smart to lock the doors. A first step in security appreciation would be to actually lock the doors. A next step might be to invest in an alarm system with signs in the yard saying the house has an alarm. If a burglar comes down the street and sees ten houses, one of which has a “This house is alarmed” sign, they’re not going to pick that house.
People don’t think it can happen to them. But it happens everywhere, and everyone is at risk. Physically, there’s no such thing as a safe neighborhood. Burglaries and home invasions happen everywhere. Virtually, scamming is an organized business with call center employees who have handbooks on how to commit fraud. If you aren’t thinking about security awareness and taking steps to improve it, you’re a sitting duck.
Security is not about fear and paranoia. It’s about managing risk and putting basic systems in place. Security awareness needs to evolve to the point where you not only know the risks, you want to do something about them. You can take action to become a tougher target for people who want to scam or hurt you.
Small Steps Towards Being Safer
There isn’t any list of things you can check off to reach the destination of “safer.” “Safer” isn’t a destination. Better security awareness and becoming safer is a process. It’s a bunch of small steps, one after the other, each one improving your personal security. There are two things Robert thinks everyone should to to work towards being safer.
Protect Your Social Security Number
The Equifax breach gave about 66% of adult Americans’ Social Security Numbers to criminals. Identity theft can be devastating, and you might not even know it’s happened for months.
There’s an easy step to protect yourself: Freeze your credit. It’s an easy thing to do. Robert thinks credit should be frozen by default. But since it’s not, you can freeze it yourself. If you have children, you should also freeze their credit.
Use a Password Manager
How can you have secure passwords if you’re using the same one for everything? You can’t. The only way to have proper password management is with a password manager. Writing your passwords in a Word or Excel document means you have to copy and paste them every time, which is cumbersome. People don’t do cumbersome security. We need easy security, and a password manager is very easy.
These days, we don’t need to remember a bunch of phone numbers. We have our mobile phones or that. We also don’t need to know passwords for every account we have. That’s what a password manager is for.
The Future of Security Awareness
It will take time for everyone to improve their security awareness. Seatbelts were invented in the 1950s, required in every vehicle in the 1960s, had use mandated by law in the 1990s, and now about 85% of people use them. It took over fifty years to get 85% of people using this basic safety tool.
We are just starting to gain a sense of security awareness. It’s going to take a while for people to gain that awareness and appreciation of the risks and take steps to improve their personal security. But it is possible, and more people are starting to appreciate security risks. Eventually, we’ll all adopt better security.
I think as far as our security goes … it’s going to take us a while longer to wake up and to assimilate to all the tools that are available to us, and to recognize risk, recognize fraud, and to actually do something about it.Robert Siciliano