by Eugene Ng
The past two years have highlighted the importance of cybersecurity more than ever, but cyber fatigue continues to be a challenge to maintaining cybersecurity. With a new article on cybersecurity in the November 2021 issue of FORUM, the Editorial Committee thought it was an ideal moment to look back on an article on the worst security habits, and to take a moment to review good cybersecurity practices.
I know you may be tired. Experts have predicted a lengthy battle ahead of us. During the first few weeks of the pandemic, many of us practiced stay-at-home orders, social distancing, went out for groceries only when required, and stayed relatively close to home. As the days moved to weeks and weeks to months, fatigue may have started to settle in.
In a disaster, the phases and emotional highs are well documented. The initial altruistic phase is followed closely by the honeymoon phase, when we think that normalcy is just around the corner. However, as this optimism turns to discouragement, the constant battling wears thin as difficulties and stress build up—this is known as the disillusionment phase. This Fall, many of us are suffering from fatigue and disillusionment, six months after everything came to a screeching halt.
In the world of cybersecurity, the feeling of fatigue and disillusionment has been sustained over decades, and there lies the challenge of cybersecurity.
The disillusionment phase in cybersecurity is known as ‘cyber fatigue.’ Almost daily you are subjected to headlines of the latest cyberattacks, that fraud and phishing attacks are running rampant or that a business suffered from yet another ransomware attack. You are also constantly reminded to change your passwords, never click on suspicious emails, never trust a password reset function, and stories about millions of dollars lost in business email compromise scams.
Usernames and passwords are older than the Internet. Since the dawn of computing, this single factor or authentication have lulled individuals into a false sense of security. Cybersecurity and compliance frameworks now no longer allow single-factor authentication for sensitive systems and force individuals to use multi-factor authentication.
When an IT or security professional tells you not to use the same password on multiple sites many of you who suffer from cyber fatigue think, “Really? You want me to use ANOTHER password?” You ignore the advice, and so it begins. Your Netflix account, Facebook, Google, Instagram, banking, Canadian Revenue Agency (CRA), your internet-connected lights and even smart thermostat requires an online account. But they’re secure so what could possibly go wrong if you use the same password? Most recently the CRA went public about a breach of 11,000 accounts. Everyday there are stories of compromised systems, identity theft and more. These stories may well be the result of what happens when individuals suffer from cyber fatigue for almost a quarter of a century and reuse the same old passwords.
Breaches happen all the time, and in our experience, even more often than you realize. Many of the high-profile historical breaches have previously involved the theft and subsequent publishing of stolen credentials on the dark web or even the Internet. These huge caches of stolen credentials are then used by cyber criminals to attempt to log on to other portals—from CRA accounts, reward sites or online shopping to essentially any site you are required to enter credentials on. This is known as credential stuffing, and is fairly difficult to detect. This low-and-slow technique is then used across thousands of websites and once a successful authentication is gained, the criminals attempt to exploit anything from business emails, money transfers, buying or selling online, and even changing your mailing and other contact details for your SIM card—known as SIM swapping.
As we wrestle with how to deal with the health pandemic in 2020, it’s worth spending a few minutes at home and performing some cyber hygiene. Some very easy but critical steps you can take include:
- Not reusing common words and easy-to-guess passwords such as ‘Fall2020!’ but using long-pass phrases instead
- Turning on multi-factor authentication on sites or apps that support it
- Using a password manager to randomize and strengthen your passwords
The final phase in a disaster is the reconstruction phase, characterized by an overall feeling of recovery. The key to this phase is that individuals begin to assume responsibility for rebuilding. Let’s start with the easy step of password changes and perhaps then, in the case of cybersecurity, we can truly move forward.
Eugene Ng is MNP’s Cyber Security Leader for Eastern Canada. A member of the firm’s Enterprise Risk Services team, Eugene identifies security technology, products and services that give clients a competitive advantage.
Eugene oversees research and development activities and formulates long term vision and strategies at the executive management level to help the firm better serve clients. He provides a full range of cyber security services and solutions to medium-sized and large enterprises, delivering strong advice to help clients make business decisions relating to technology. https://www.mnp.ca/en/personnel/eugene-ng