Resolving the user problem in cyber crime breaches

Brian Byagaba, Senior Manager – Information Security, CBI


More often than not, even the bare minimum security blocks are not put up.

When Mark Zuckerberg’s Twitter account was hacked in 2016, most people assumed that the attackers had used some form of complex malware to target the CEO of one of the biggest tech companies in the world. But soon the hackers tweeted (from Zuckerberg’s Twitter handle) that they had found his password on a leaked LinkedIn database, and the tech industry discovered the password was a simple six-letter sequence that defied every safety recommendation in the industry (“dadada”).

The infiltrators were able to use the same password to access his Pinterest account because it carried the same password. It may be surprising to learn that one of the most powerful men in tech chose not to follow one of the most basic cyber security rules — to use a different, complex password for each online account.

But as an information security specialist at CBI, I’m not all that surprised — the weakest link in the security chain is people themselves

Don’t get me wrong. Malware still poses a significant threat to corporations, whether in the form of viruses, trojans or more recently as ransomware. According to the Centre for Strategic and International Studies, cybercrime costs the global economy over $600 billion (Dh2.2 trillion) every year (nearly 1 per cent of GDP). The UAE — one of the most targeted countries in the world for cyber-attacks — incurs an estimated $1.4 billion in costs per year.

But cyber security breaches aren’t all that sophisticated, actually. In their annual data breach investigations report, Verizon disclosed that over 40 per cent of data breaches in 2016 used social engineering techniques. Social engineering essentially refers to ways that a criminal tricks a person into revealing sensitive information with the intention of using it fraudulently.


UAE not immune


Research shows that in 2016, 15.4 million consumers were victims of identity theft or fraud. Card-not-present fraud (by phone or email) increased by 40 per cent from 2015 to 2016. The UAE is certainly not immune. The BBC recently reported a hard-to-believe account of a fraudster who purportedly scammed $242 million from a UAE bank — by professing that he had magic powers.

When the stakes are so high, why do people continue to fall for scams? We laugh at the mention of a call or email from a Nigerian prince offering a long-lost inheritance or exclusive prize — but they are much more effective than we’d like to believe.

In this region, cyber criminals often target the general public via phone or email, asking them to share their online banking credentials or credit card details under the guise of a lucky win or the re-validation of their bank account. They tailor their scams to the UAE, where it’s not unusual to be picked out for a shopping festival raffle or a cash prize, gold or even a car through your bank.

They get away with these unrealistic imitations by taking advantage of the cultural norm. They also target our tendency to be lazy when it comes to changing our passwords. Most people don’t consider that a hacker could, for example, use their leaked LinkedIn, Dropbox or Yahoo password to try and access their online banking account.

And yet we continue to keep the same basic password across accounts rather than use a different strong password for each online account.

Too often, more technology is used in an attempt to solve cybercrime problems. But technology on its own cannot change human behaviour, and neither can better-documented procedures or standards.

On top of a trusted technology platform, we need to train people to understand, follow and implement reliable procedures. The term “last-mile problem” is often used in information security to describe incomplete education, awareness and training for the people tasked with operating security systems and processes. This means that the transfer of important security information into the hands of staff, vendors, partners, and customers is often flawed.


Reward instead of penalties


We need to widen our approach to change the way that the people operating and impacted by the technology think and act.

One of several ways to help drive behavioural change is to slow down the security decision-making process by introducing more safety valves. We know from research that decisions made in a hurry are significantly influenced by emotions, rather than by logic or experience. We can encourage people to request more information or other forms of communication from solicitors so that they have more time to assess whether they are genuine or not.

Another method is to focus on awarding people for being secure, rather than only punishing them for neglecting to follow security practices. Research continues to show that people respond better to reward than they do to penalties, and this has a longer lasting impact on individual’s attitude and behaviour.

But on a personal level, there is one form of technology that has helped me to manage my own security better, and that is a password manager — a secure app that works like a vault to store all account passwords and help create strong new passwords. How else is anyone expected to continue producing and remembering new unique passwords for their email, bank logins, loyalty programmes, Wi-Fi networks and so many more accounts?

With a password manager, I only need to remember one strong password that gives me access to the app. I make sure that the app is secure by choosing one that has been thoroughly reviewed and is available from the official Android and Apple app stores. This is an example of a technology helping people to apply security in a practical and convenient way, which I encourage everyone to use.


Brian Byagaba

Senior Manager – Information Security