Intersections’ Consumer Security Adviser Neal O’Farrell uncovers the secret contained in the recent 2011 Microsoft Intelligence Report. What’s the secret? It’s the user’s fault!
There are two schools of thought on the topic of consumer security awareness. One school suggests that all the malware and scams in circulation are far too advanced for consumers to understand and therefore prevent, and consumers should instead entirely trust technology to protect them. The most vocal proponents of that side of the argument are, not surprisingly, the companies that sell security technologies.
The other side of the house believes that consumer education, awareness, and vigilance are key to preventing or avoiding many, if not most, attacks. That's the side of the argument I sit on, and so should you. Your vigilance, and your acceptance that you have significant responsibility for your own protection, are key to avoiding some of the most common attacks.
Think about it for a moment. Would phishing emails — the ones that pretend to be from your bank to try and trick you out of your password - even work if people just ignored them? Would infected email attachments work if users never just opened them? And would passwords still be a weak link if people made them stronger.
There are so many examples of just how important user awareness, vigilance, and participation really are. And one of the key words is vigilance. Awareness is no longer enough, because I think it's safe to assume that most consumers are aware that there are risks and that there are something they should and shouldn't do.
But vigilance is about being aware at exactly the moment that counts — thinking security before you create or use a password, before you respond to an email, before you open an attachment, or before you visit a web site.
And there's plenty of evidence out there to how a lack of awareness and vigilance are being exploited. A recent study by Microsoft found that nearly half of all malware Microsoft detected when it scanned more than 600 million computers used tricks on the user in order to succeed. With security firm Trend Micro reporting one new type of malware every half second, that's a lot of focus on user exploitation.
The study also found that that around 90% of all exploits targeted vulnerabilities that were known about and patched for more than a year. Which probably means that most users are just forgetting to update their software — one of the easiest way to protect yourself. In fact, although users are warned repeatedly about the need to update their browsers, Microsoft reports that nearly half of Internet Explorer users still use vulnerable out-of-date browsers.
And if the security experts recognize this weakness, so do the bad guys. Cybercrooks across the world are experts at social engineering — creating tricks that consumers are likely to fall for. These crooks expect you to make the wrong choice, whether it's to forget about updating your browser or security software, falling for phony emails or Facebook requests, or letting your caution overcome your curiosity.
They won't waste a moment taking advantage of a mistake you can make in a split second. So they're worst fear is that you take a moment — to stop and think before you make a decision and use that pause to make the right decision instead of the wrong one. If you pause, think, and chose the other, safer path, you win and they've just wasted all that time and money.
Network World said what many others might want to. In a recent article on Microsoft's report, they simply concluded "wise up stupid users!"