In the next installment of Sounds Good's Cyber Bytes series, Tracy Ross and Michael Ramage, director of Murray State's Cyber Education and Research Center, discuss October being Cyber Security Awareness Month. Ramage says the themed month is "sponsored by the federal government to raise awareness about cybersecurity-related things." Ramage says the month has three distinct themes for each week and usually features online and television commercials talking about how to protect oneself against cyber attacks.
"The first week was about building cyber security culture, meaning it is everybody's job in a company," Ramage continues. "We like to think, 'Well, we have those five people over there that are doing cyber security or IT, it's their job, not mine.' But if you get an email that looks suspicious, and you don't report it, then maybe the next person's not reporting it. Now everybody in the company has gotten it. Because you didn't report it, somebody did get it and click on it, and now we're infected with a virus. Part of raising the idea is let's make security the norm in our organizations. Right now, for most, it's not."
Ramage explains that most people become acquainted with cyber security in one of two ways: dealing with something as simple as needing or being unable to remember a strong password or if they or someone they know has been attacked. "Most people don't pay attention to cyber security as a culture until it's too late," he says.
The second week of October is dedicated to ransomware. Ramage says this looks like "continuing to tell folks, 'Do not click the link, take steps just in case you get hit, because the odds of your company getting hit are pretty high.' The goal is that if your company gets hit, you've done all this preparation that it's limited in scope and impact, and then your recovery is also quick. That's the goal."
"We can't stop it, just like a virus — you can't stop a virus from infecting," Ramage continues. "Somebody clicks the link, it's an accident, we didn't mean to, it gets in, how much is the damage going to be? That's it. That's the issue with ransomware, and I guess the other piece of that is people continue to pay. As long as people continue to pay, the ransomware incidents are going to increase. It's going to happen over and over and more and more until we stop paying."
Ramage admits that while money is ultimately the end game for ransomware attackers, it's easier said than done to not pay the ransom once you've been hit. "The unknown impact to your business of that scares a lot of people into paying, for sure," Ramage says. "There's the remediation once you detect it. How do you get rid of it and recover from that as quickly and painlessly as possible? History tells us that that's paying the ransom, even though we shouldn't."
The final theme of Cyber Security Awareness Month is social media and artificial intelligence. "We can't trust things," Ramage warns. "We should know by now that we can't trust social media, yet people continue to trust social media. We have to look at things on social media with a little bit of skepticism. It's not just the extreme things. AI allows us to make things that sound realistic."
"We asked AI in class one day to write a paper with sources on a particular topic, and it cited sources," Ramage continues. "And none of the sources were real. It looked real. But if you actually went and tried to search for that source, it didn't exist. I would've believed it because it looks like any other academic paper that you see, it's just the sources weren't real. Apply that to social media, where we believe too much as it is. If it looks real, if it aligns with our thinking, we're probably going to believe it, and it's an easier way for hackers to target victims and to be able to successfully manipulate people into paying for whatever that scam is."
Ramage concludes, "Every person can make a difference. If you report something, if it looks suspicious, even if it turns out not to be suspicious, if you're alerted, and you think there's been some questionable thing, whoever your IT person is, your security person, report it. The more that we report, the safer we're all going to be. That's a habit that every person who listens to this should be in the habit of. Assume a secure mindset, and be skeptical about everything that you see, and report it if you can report it."
For more information on MSU's Cyber Education and Research Center, visit its website. Read the first installment of Cyber Bytes here.
