By Kevin Hamel
You know things are bad when the Simpsons cartoon series can instruct us on security. But here we are, considering the example of Montgomery Burns, the Simpson’s maniacal owner of a nuclear power plant, as he runs a gauntlet of body scans and password challenges required to enter his palatial office. Once inside, Burns notices a rickety screen door open to an unprotected field behind the plant.
I mention this in the context of a recent hacker headline – “Google Mail Hack is Blamed on China” (Wall Street Journal, June 2, 2011). After reading through the ominous description of a brewing international incident, I saw that the victims had merely been tricked into sharing their Gmail passwords through a phishing attack.
The irony really struck a nerve. Security mongers have built careers out of characterizing cyber criminals as super-smart monsters intent on one thing – gaining access to your online credentials to steal everything precious in your life. But in reality, the criminals are merely exploiting our own inattentiveness.
How many times has your bank said it will never ask for your user name, password, social security number, date of birth or other personal information in an email? How many times have you supplied that information anyway?
In a mock phishing experiment, the New York Office of Cyber Security & Critical Infrastructure Coordination sent fake phishing emails to nearly 10,000 state employees with the goal of tricking them into surrendering their passwords. More than 75 percent of the recipients opened the email, 17 percent followed the link, and 15 percent attempted to enter their passwords.
How can any anti-phishing software and detection service compete with a user’s willingness to open bogus emails, follow bogus links, and enter our online credentials? It is the literal equivalent of Montgomery Burns’ rickety screen door behind his super-secure nuclear power plant.
Given our tendency to overlook the most basic red flags, how can a bank or credit union help protect consumers from cybercrime?
One answer may be training. Just as banks and IT companies regularly engage in security training for employees, you might consider training your customers as well. Clever online games have been designed to educate consumers about links to fake websites and other security risks. Training products, such as Wombat Security (www.wombatsecurity.com) have been shown to reduce the likelihood of users falling for a phishing attack by approximately 50 percent.
Rather than jump on the security training bandwagon as today’s cure-all, banks and credit unions should think of Wombat Security and other training providers, such as Terranova (www.terranova.com) as ways to freshen their approach to security awareness in order to keep customers engaged. After all, the public tires easily, and eventually, even the most creative solutions will become wallpaper – increasingly easy to ignore.
You might consider including information from OUCH!, the monthly SANS Institute newsletter (www.securingthehuman.org), to help your customers through practical issues, such as securing passwords, staying secure while traveling and using your smartphone securely. You might also consider holding a security contest and awarding the winner an eye-popping prize – something to grab everyone’s attention.
The point is to make security a central focus of your institution’s service delivery. Frankly, it has to be. The prevalence of portable devices and the spread of social media have created more systems and platforms to secure than ever before. The days of securing a customer’s technology with simple antivirus software are long gone.
If you succeed in enlisting your customers in your security efforts, your bank or credit union will become more of a beacon of safety and soundness for your customers’ assets. That’s a great position to be in, because you will hold their trust for generations.
Unfortunately, the alternative is an unsustainable, Simpsons-style irony – the hyper-secure front entrance sabotaged by a rickety back door to unprotected cyberspace.
Kevin Hamel manages Security for Avon, Conn.-based COCC, Inc. (www.cocc.com), a 44-year old-firm specializing in outsourced information technology and support.