I’ve never once worried about my online security. Sure, I could have a clever password strategy, set up VPN, encrypt my hard drive or tweak my browser settings, but as a result I’d create a joyless and pessimistic world-view. And who would want to hack a children’s book author anyways?
So what happens when someone who thinks she has nothing to hide gets hacked?
My work is about explaining the world of computer science to children in fun ways. For that cyber security offers a colorful playground with concepts such as honeypots, trojan horses, firewalls and script kiddies? Throughout the six episodes of the documentary I spoke with experts to learn about what lies behind the jargon. I got to visit a security center in Poland, see in practice how machine learning can help detect threats and learn how the landscape of security is changing.
But to experience the other side of the equation, I gave permission to the F-Secure team to try to hack me. The rules were simple: use a vulnerability, break in and do something.
One of the things that became obvious pretty soon was that this attack was not going to happen with any clever algorithm or brute force, but through social engineering. The team would take advantage of the tiny everyday chores, habits and clues I’ve sprinkled everywhere online and use them to break in.
For the first few days I was suspicious of everything. From e-mail alerts notifying me of Squarespace domains getting old to doxxing attack warnings, from phone service confirmations to blinking mobile screens everything screamed scam. But there were just too many things to pay attention to, and auto-pilot kicks in easily. What happened? Check out the full documentary here.
After the documentary I did resolve to make changes in the way I protect my privacy and security online. But even more importantly I think I learned the same lesson as Alice in Wonderland, who after Lewis Carroll plunged her on the adventure thought “after such a fall as this, I shall think nothing of tumbling down stairs!”
There is no way you can protect yourself entirely online, especially as an organisation.
What happens after the attack is what matters. An organization where employees don’t deny, panic or hide attacks is much more likely to pull through. A strategy for cyber security is as much about implementing the right hardware and software as it is about the right practices, culture and communication.
One more word on the cyber security people, who in my experience are among the most creative, curious and persistent people I’ve met. I think it’s worth redefining the way we talk about security for only their sake.
Not rigid, resistant.
Not pessimistic, persistent.
Not paranoid, paying attention.