by Dave Moore, CISSP, 07/04/2021
I work for a lot of very educated people; brainiacs, high-end PhD’s, and they’re falling for email phishing scams and being victimized by identity theft the same as people who barely made it out of high school.
Do you know why that is? Clearly, it’s not because they’re stupid, or they’re too old to “get it,” or anything like that. It’s because nobody ever taught them how to be safe on the Internet. Nobody.
Most people can follow instructions, if you just tell them what the instructions are. The sad and ugly truth of the matter is that Internet safety training and education for the general public is virtually non-existent. What should be another part of general life education, just like how to read, and write, simply isn’t there.
It’s as if most people driving cars today don’t know the steering wheel is one of the most important parts of the car. The majority of people using the Internet don’t know how to be safe on the Internet. They just don’t know what the heck they’re doing out there, because nobody ever taught them. It has nothing to do with a person’s intelligence, and everything to do with their lack of education and training in what has become a critical, modern-day survival skill: using the Internet.
Society has not been taught how to avoid online scams. As a result, Internet criminals victimize millions of people every day, confident in the knowledge their victims do not know how to defend themselves. To quote H.G. Wells, “Civilization is in a race between education and catastrophe.”
My group, The Internet Safety group Ltd, a 501(c)(3) non-profit, is dedicated to the cause of creating an Internet safety-aware culture. We do this mainly by trying to convince people to give up what amounts to a feature-length film’s worth of time, and attend a class, seminar or workshop that will help them learn how to stay safe on the Internet. This is a tough notion to sell to a busy, hustle-bustle society where everyone is caught up in simply trying to catch up, and continue existing.
Still, the Internet bad guys are not impressed by our struggles and hardships. They don’t care how hard post-pandemic business folks are trying to stay afloat, or house-bound social distancers are trying to recover from cabin fever. Internet bad guys, crooks, criminals and other miscreants are ruthlessly pushing even harder to exploit what has become the key to their success: security awareness training is an utter, dismal failure. The bad guys know this, and many crooks are becoming very rich because of our failure to lock the henhouse door.
Think about it; if cyber security awareness training was a success, poor password training and lousy account policies would not have enabled the great Colonial Pipeline ransomware hack; it would not have happened. If current security awareness training was such a back-slapping success, The City of Tulsa would not have been crippled by a ransomware attack brought on by an ignorant employee clicking on the wrong thing. Both were completely preventable tragedies that should not have happened.
Most of the scary “hacks” you hear about on the news were not caused by evil super-genius criminal masterminds. There was no high-level “hacking” taking place like you see in Hollywood movies and CSI-style crime shows; none at all. Most of the “hacks” succeeded by simple, garden-variety con artist trickery, enabled by an uneducated workforce, negligent CEO’s and Boards of Directors, and an inerudite general population; the opposite of an Internet safety-aware culture. A little crummy password usage here, a little phony email link clicking there, and suddenly, some of the world’s major corporations are forking over millions of dollars to finance even more criminal careers.
I am hopeful, however, that some well-meaning legislators have proposed something called “The American Cybersecurity Literacy Act.” We’ll see how that works out, and study it more next week.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org