5 excuses for doing nothing about computer security!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://nakedsecurity.sophos.com/2014/08/20/5-excuses-for-doing-nothing-about-computer-security/

Let's be honest: computers and websites are often easier and quicker to use
if you do nothing about security.

You could save several minutes each day!

That's why it can be handy to have some really good excuses for doing
nothing.

Sadly, as we're sure you have found, once a friend or family member has
latched onto a security avoidance excuse, it can be hard to talk them round.

So, here are five excuses that we hear a lot, both from individuals and
from small businesses, together with some points you can use to argue back
that security really does matter.

EXCUSE 1. No-one's interested in little old me!

The reasoning is that cybercrooks just aren't interested in the local
automotive repair shop or cake-making business, because...

...well, why would they go after an individual earning $30,000 per year, or
a local business turning over $500,000, when they could take ona retailer
like Target with annual sales of $70,000,000,000?

But stop to think for a moment: Target doesn't turn over $70 billion a year
by closing 70 deals of $1 billion each.

Target's business is much more like one billion transactions of $70 each.

And many cybercrooks run just that sort of low-value/high-volume business,
for example:

The CryptoLocker gang, who were estimated to have extorted $300 each out of
well over 100,000 computer users in the UK alone.
The criminals busted in 2011 in the FBI's Operation Trident Tribunal, who
netted $72,000,000 in nearly one million transactions averaging $75 each
for fake anti-virus software.
The spamming industry, which would love to get its hands on your computer
at home and use it to pump out more than 5 million spams per week.

→ We're all in the sights of cybercrooks somewhere, and we owe it to
ourselves and to everyone else to do the best we can to thwart them.

EXCUSE 2. My printer won't work with the latest updates.

OK, it's not always a printer that gets the blame; in fact, it's not always
hardware.

Sometimes it's legacy software that provides the excuse for sticking in the
mud of yesterday's insecurities.

In particular, this is a very common reason we hear for not replacing
Windows XP with an more recent operating system that is officially
receiving security updates.

We accept that you may have some old hardware devices (lathes or milling
machines, for example) that would be vastly expensive to replace, and can
only reliably be controlled from XP.

But for everyday computers, you need to ask yourself if keeping yesterday's
printer alive to save the modest purchase cost of a new one is worth the
risk of running outdated software.

If you have a security hole that criminals have already had months or years
to hone their skills against, they're going to attack you first, because
they already know how to break in.

→ Every time you fall further behind on security updates, you make yourself
into lower-hanging fruit for cybercrooks.

EXCUSE 3. I've got a Mac.

Good choice! (I've got a Mac, too.)

But whatever sort of computer you have, and whatever operating system it's
running, if it is ever lost or stolen then your data will be in someone
else's hands.

Even if a thief steals your laptop just for the value of the hardware in an
immediate cash sale, and even if most stolen laptops are wiped and sold on
quickly, not all of them end up that way.

You have to remember that your data has underground value, too, even if
only in the form of a bulk "data dump".

That's where the intermediary who buys a stolen laptop knows enough (or
knows someone who knows enough) to suck off the sector contents off into a
giant, unstructured blob of data.

He then sells on that data at a bargain-basement per-gigabyte price to
someone else, who knows enough to comb through it to extract nuggets of
personal information to sell on to the next crook, and so on.

In short, computer brand choice alone simply isn't enough to keep your data
safe.

→ Don't leave home without full disk encryption, so that the only data dump
a crook will get is shredded cabbage.

EXCUSE 4. Security slows your computer to a crawl.

Full disk encryption, for example, sounds as though it ought to make your
computer slow, because it has to unscramble everything it reads in, and
rescramble everything it writes out.

But with modern disk encryption software such as BitLocker on Windows and
FileVault on OS X, running on modern hardware, you'll be hard pressed to
measure a statistically significant difference in performance, thanks to
CPU improvements.

Anti-virus often gets a bad name, too, but we very often find that it only
genuinely gets in the way when people needlessly "flip all the switches,"
turning on redundant combinations of scanning options that do more work
that is necessary.

Similarly, strong passwords and two-factor authentication are often blamed
for making software and web sites time-consuming to use, even though they
typically add just a few seconds to important transactions.

→ Don't throw out security altogether to save a little bit of time today,
because it could end up costing you many times over tomorrow.

EXCUSE 5. I only browse to safe sites.

Do you? Really?

The thing is, how do you know?

How can you tell in advance that a site is safe?

Remember that even legitimate and high-profile sites may put you at risk,
for example because they include poisoned adverts from a third party
provider that was hacked.

That's where web filtering technology can help, because a good web filter
not only examines the URLs of the web pages you plan to visit before you
even go there, but also checks out the content of web pages you've fetched
before they are processed by your browser.

→ Don't assume that all online cybercrime is obvious, even if you're
visiting sites that were just fine yesterday.

THE BOTTOM LINE

The bottom line here is that there a lots of excuses you can find if you
want to give yourself an official-sounding reason for being slack with
security.

But please don't do that.

There may, indeed, be some security precautions that are genuinely
impractical for you.

Just make sure, when you take on added risk by skipping security steps,
that you find some other way to mitigate that risk.

For example, if you stick with XP for the sake of your million-dollar
milling machine, use a firewall to segregate the milling machine into a
safe corner of the network.

Doing nothing is the easiest option, but it's also the worst, for you and
everyone around you.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!