CYBER TRUST FOR SMALL BUSINESS As we depend on technology, it will be used against us. I am reviewing “trust” because it is relevant as to how we depend upon, and then how a hacker attacks, our trust of computers or technology in general. Users and providers of Internet services are living in a world where we trust each other in a variety of ways. We expect Internet service providers to guard our data, and we expect email and other services (from Google searches to bill paying) to respond and perform their tasks when we need them. But our digital lives actually exist in a false sense of security. Humans in general have some psychological fault lines in this digital age. Human relationship trust takes years to build, seconds to break, and forever to repair. With any reputation, trust starts with truth and ends with truth. When a lie is exposed it becomes apparent. How does trust translate to technology? Should we trust our emails all the time (spam, spear phishing1 , and more), so that only we will access email on our work computers with a password? If a wily attacker has your computer password, then they have your email access, unless you take proper precautions. The spammer uses your trust in email to get you to click on their emails. Out of a thousand emails sent, a number of people click on the email message and then get hacked. Spear phishing is a method that targets a specific person, in which a hacker has checked your LinkedIn account or searched you in Google before creating an email that will most likely get you to click on it (this method is the #1 reason for getting hacked). Trusting is hard. Knowing who to trust even harder. The less you trust, the less you get hurt. We will review some of the negatives of the online world before introducing how to take charge of your security. Unfortunately, as we innovate, opportunities for exploitation increase. We love technology and we want to trust it. But it’s a double-edged sword. How easy is it to hack another computer? It is easy in certain situations. Why is 1 Spear phishing and many other terms are included in the Glossary for quick reference. social engineering: the art of using information to trick another to allow access, so effective? How do we keep trust in digital lives? We have to explore ways to make trust workable with a small chance of getting hacked. Who do I trust when dealing in security? Oxford Languages defines “trust” as follows: trust noun 1. firm belief in the reliability, truth, ability, or strength of someone or something. “Relations have to be built on trust.” 2. Law an arrangement whereby a person (a trustee) holds property as its nominal owner for the good of one or more beneficiaries. trust verb 1. believe in the reliability, truth, ability, or strength of. “I should never have trusted her.” 2. allow credit to (a customer) (archaic) First impressions count! At a first face-to-face meeting, first impressions are the most important factor in influencing the nature of a possible relationship. The Wall Street Journal story “The Mistakes You Make In a Meeting’s First Milliseconds,”2 for example, quotes a communications coach who says that you should not always trust your first impressions: “Facial expressions are important, even when you think no one is looking. People tend to distrust others whose ‘dominant face,’ or habitual expression, is grumpy, disapproving or angry, says Judson Vaughn, an impression-management consultant. And suddenly switching that downbeat expression to a 1,000-watt smile, just because someone is looking, is likely to undermine trust even more, he says.” The reason I am spending so much time to discuss trust is this: what we take for granted will one day be used against us. We need to review all aspects of trust to help us in changing our mindset while using our favorite technologies. What looks like a 2 (2018, January 31) Trust Issues in Security [Web log post] Retrieved from https://oversitesentry.com/trust-issues-in-security/. Too Late! You're Hacked Too Late! You're Hacked 4 5 good email is actually a fake email. A call, voicemail, or text can be faked. The first impression in a technological first impression is not always accurate. With data and computer networks in a corporate setting, we are dealing with a different trust relationship than personal relationship trust. • Data Trust — Local network trust, cloud network trust, hybrid cloud (a local and cloud solution). The data is trusted to be unchanged or changeable depending on access levels. Where data is located and how it is managed makes a difference. • Employees — Some employees should not have access to finance or computer administrative functions. It is a security failure to give too much access to employees, even though it may make function easier in the short run. • Machines/IoT (Internet of Things) — Unfortunately even machines need some access, depending on the automated process, and this area will get trickier as more AI (Artificial Intelligence) becomes prevalent. Internet of Things are devices that are connected to the network and Internet, such as power backup and printers. The future will consist of many such devices: refrigerators, light bulbs, power outlets, toothbrushes, washing machines, dishwashers – actually, any electrical device will be connected to the Internet in the future. McKinsey Global institute claims there will be at least 3.9 trillion IoT devices by 2025.3 • Vendors — Sometimes need special areas of access, but not too much. • Offboarding/Onboarding — When new employees are brought on and old employees are removed from systems, we need to have company processes that ensure access is given and removed. (i.e.: when you hire and fire employees you should have a process in place) • Friction — Everything we do is not always 100% accurate, so we 3 (2016, January 11) Future Forecast: Internet of Things [Web log post] retrieved from https://www.allion.com/future-forecast-internet-of-things/. must prepare for the times of inaccuracy. Bad weather happens, storms come and go – so do errors. It is the job of the security professional to lead a company into defining data security and preservation needs. This includes compliance. HIPAA (Health Insurance Portability and Accountability Act) requires privacy of patient records to be paramount, and the PCI (Payment Card Industry) standardizes where credit card information numbers are not allowed to be stored without encryption (or preferably not stored at all). There are other aspects of trust – government trust, currency trust, physical security trust, and personal trust (spouse, family, and friend). Cybersecurity affects all kinds of trust in our modern age, where cryptocurrency may upend some government and currency trusts (though it has not done so yet). Cryptocurrencies (Bitcoin is an example – Bitcoin is an online currency based on Blockchain technologies, wholly existing on the computer and derived from cryptographic programs) are interesting as to how they create trust, as the trust is not in a central bank (or the government), but in individual decentralization of trust and the mathematical algorithm itself. Too Late! You're Hacked Too Late! You're Hacked 6 7 One thing is obvious in 2021 and beyond: we will be increasingly reliant on technology, and therefore cybersecurity affects our lives more than ever. Whether you like it or not, cybersecurity has some unique problems which will be uncovered here in this book. As you will see, if you do not fix your cybersecurity now, hackers can have a say in your life. When we create our business or life plans, we do not think about hackers, but that is a mistake. As Dwight D. Eisenhower said: “In preparing for battle, I have always found plans useless but planning indispensable.” What does General Eisenhower mean? You must have a plan to complete your goals, but when you are contacted with an enemy, who has their own goals and objectives, you better be flexible and able to take into account the enemy’s actions (including unknown actions). What does this mean for us in our digital lives? Every time you try to use a device (your plan), an enemy is also planning to do something, because one of their goals is to make money off of you. This book is designed to help you anticipate your enemy (hackers) and defend your digital devices, so they can perform their functions as designed.