The importance of cybersecurity: Who are we protecting?

A few weeks ago, a friend was caught in a hospitality cyber-fraud. The threat actors infiltrated the hotel's booking.com accounts. Using this valid account, they sent fraudulent emails asking for a credit card confirmation to secure the reservation. Imagine. Two days before taking off, your credit card gets compromised.

This sucks on many levels: cancelling the credit card, getting another one while on vacation in a foreign country, re-doing all the reservations previously done with the card...

That's an anxiety rush that defeats the relaxing purpose of travelling.

I wrote about similar situations:

This event illustrates what I call "death by a thousand cuts" (no relation to the Taylor Swift song) we go through in modern life. Little irritants that in themselves are no big deal, but that end up piling up until you can't take it anymore. Cybersecurity incidents are part of these paper cuts. [...] Annoyances build up on top of the "real" stuff: a relative's deteriorating health, quitting on your habits, conflicts with your friends, your dog's weird noises...

Cybersecurity professionals don't talk enough about the psychological impacts of cyber attacks. When reading about recent breaches, I see a lot of discussions around their costs and not enough stories about how impacted individuals feel about them.

We need to remind ourselves why we do this. Alright, let's get corny: we protect the innocent and uphold their fundamental rights.

Everyone's afraid of the internet and they're not doing a damn thing about it

Cybersecurity vendor Malwarebytes released its yearly Everyone's Afraid of the Internet report, which consists of a survey of 1,000 individuals about their online habits. Look at some of the findings:

• Nearly 80% of respondents are "very concerned" about the risks of being online.
• More than 80% of Gen Z are afraid to see details about their sexual preferences or mental health exposed.
• 70% have experienced security threats before

Yet...

• 65% admit using the same password across accounts;
• Nearly 60% shared their birthdate on social media
• Only 35% use security solutions.

Malwarebytes rightfully points this out as "cognitive dissonance": everybody is aware of the dangers, but not enough to act upon it.

Why is it this way?

People see the news. Security breaches happen every week. We, experts, excel at triggering fear. This survey is proof that fear-mongering is good at raising awareness but bad at actually changing people's behaviours.

Why?

Technology is abstract

I will die on this hill. I remember my creative writing classes where the writers kept hammering that there was nothing more abstract than maths, whereas philosophy dealt with the most concrete human experiences.

The point I'm making is that authentication, encryption handshakes, malware, or whatever complex acronym we come out with is too far removed from our everyday experiences. Perhaps irremediably.

We're asking for too much knowledge. Look at the comparisons people use: locks, seatbelts, brushing your teeth, handwashing... If you think this is the same order of complexity as a password manager, I'll introduce you to my 3-year-old. Consumer-grade security software is still too complex.

I do believe in education. The fundamental reason I've created this website is to inspire an approach of optimistic security leadership in our workplaces and communities. But we need simpler ways for people to protect themselves online.

And a big part of the solution is...

Cybersecurity as a public service

The EU's GDPR views privacy as a human right. People should be able to go their own way online without companies tracking their every action to profile them without their consent. They're right!

The Europeans chose to enact it by handling infractions and fees to Big Tech. This is a reactive approach. Not as right.

I prefer what the FBI and CISA are currently building in the US. The executive order on improving the nation's cybersecurity, the CISA's warnings, the FBI's raids, and the House bill that relaxes degree requirements for federal cybersecurity jobs show a proactive approach.

We need both approaches, but more of the latter now.

For example, I believe governments are not doing nearly enough on the digital identity front. My driver's license shouldn't be, in 2023, my best identification measure. What if I traded it for a biometrics-enabled smart card that contains by private key, with governments keeping only my public keys? I understand the challenges in making this work on a global scale, with immigration and agencies, etc. But this is the type of long-term, billion-dollar infrastructure project we need.

This is all fine and dandy, but...

What can you do about it?

Anchor your security decisions on the individual. This might seem like a no-brainer. I am in the B2B software sector, this is not always evident.

When I worked in the financial sector, the best decision that happened to me was when the CEO decided that "peace of mind" was the organization's core value. Can't have peace without security. This was such a blessing.

In the end, think of who's getting that paper cut. How much cognitive load are you throwing on them? Could you make their lives simpler? Are you writing little characters at the bottom of your Terms of Service that you know they won't read?

People feeling anxious online isn't a fatality. With better institutional support, better corporate due care, and a better way to speak about security, we can do this.

Healing one cut at a time.