My colleague Aryeh Goretsky shared a funny joke from Buttersafe, that I think invites us to mull cyber threats over. Before sharing my thought, I'd rather show you the cartoon itself and see if it makes you smile like it did to me:
The cartoon raises an interesting question: how obvious are security threats? I invite you to think about this for just a minute before moving on. Is it so obvious when a user is facing a possible malware infection?
For those of us in the technology world, we frequently hear this kind of expression, arguing that it seems almost childish to be fooled by social engineering trap or to run an OS without having installed all available security updates. However, is that so? Is it so obvious? I think the joke invites us to think otherwise.
How obvious is a strange figure on the floor – a metal trap that will hurt its feet – to a bear? Yes, I know, for most of us it is not easy to take the place of a bear, but the answer is not so complicated: clearly, the trap is not part of his "knowledge base". Similarly, the mouse is unaware that the piece of cheese in the middle of the trap will lead to death. Everything, after all, is about knowledge. Would the mouse go to the cheese if it knew it was a fatal trap? Probably not.
That’s the key in education: providing information and knowledge to the users. In my experience, traveling through all Latin American countries promoting awareness initiatives, I've learned that ignorance is the main aid of the attackers. Most victims of threats, do not even know about their existence, or the risks involved until it is too late. If any user enters sensitive information into a phishing form, it is likely that he is not even aware of what kind of threat this is. In the end, everything has to do with education.
How obvious any scenario is, depends on the information and knowledge of the observer. Therefore, it’s our responsibility (this includes many of you too), to work and develop user awareness of these threats, so obvious to us, in order to make them as obvious for the rest of the users.
Threats are obvious only when they are present in our knowledge, and they change from day to day, therefore there is no implicit obviousness, just an ever changing scenario of cyber threats, from which users must be protected, and the best way to supplement the security provided by security technologies, is through information.
There are no obvious attacks. There are protected users, informed users.
Awareness & Research Coordinator
Author Sebastián Bortnik, ESET