"If there's one thing I've learnt about people, it's that people never learn.” Mikko Hyppönen, self-described ‘hacker hunter’ shared this depressing yet amusing truism during his presentation at the inaugural Wired Security event last week.
Hyppönen, who has been tracking down online criminals since the early 1990s and is chief research officer at the cybersecurity firm F-Secure, certainly knows his stuff. He looked at 350,000 samples of global malware attacks to try to better understand where they were coming from and how we can prevent them from happening. The vast majority of those – 95 percent – were from organised online crime syndicates. Only the tiniest proportion of hacks are committed by hacktivists or foreign spies.
But what do we do with this information? When faced with highly organised, financially motivated digital mafiosos, how do we best protect ourselves?
The no nonsense, actionable advice I took from Hyppönen, is to try not to be bloody stupid. Even the most skilled cyber defender will be no match for human stupidity and apparently there’s a lot of it about. There was an audible gasp from the audience when Hyppönen showed a screen grab of someone’s Twitter feed which featured a clear picture of their bank card, yet none of us doubted it had happened. So many of us are now used to sharing every detail of our lives on social media and encouraging us to hold off for a second and think about the implications of everything we’re sharing represents a significant behavioural step change.
There are definite upsides to cyberspace, but those same upsides can enable criminals. This problem is compounded by the fact that the risks are very unintuitive for most of us, particularly those who have grown up with an online presence. We’re good at dealing with perceptions of risk in real life. We have reflexes that enable us to run when we’re scared, and make judgements about when we’re being lied to or threatened. When it comes to cyberspace; we’re playing catch up – we’re simply not readily equipped to deal with the worst excesses of cybercrime and this lack of preparedness makes us vulnerable.
Software vulnerabilities can be fixed, but as long as people post pictures of their bank cards on Twitter and click links they shouldn’t be clicking, cybercrime is set to continue. “People do stupid stuff,” he said. “You cannot patch people.”