We seem to be in the grip of a data breach epidemic. Whether it's big businesses falling victim to cyber-espionage campaigns, workers foolishly handing over their credentials in reply to phishing emails from fraudsters, or just consumers getting their PCs infected with malware, there are security threats everywhere.
But the reality is that it doesn't have to be this way: with a few simple precautions, businesses and consumers can do a lot to secure their accounts and data.
Strong passwords, two factor authentication, antivirus, and backups are just some of the simple things users can employ to protect themselves from cyberattacks -- yet breaches and malware infections show that some of the most basic advice is often not followed.
"We pretend this is the most complicated thing in the world, and yet strong passwords, backing up your data, updating your security software -- security isn't that difficult," said Raj Samani, chief scientist at McAfee.
The UK's National Health Service was one of the most high-profile victims of May's global WannaCry ransomware virus outbreak, with a proportion of hospitals taken offline -- some of which didn't have systems restored for weeks.
An investigation following the incident found that NHS trusts had been warned to apply critical patches to prevent systems being exposed to the EternalBlue Windows vulnerability which WannaCry used, but that many failed to do so. Of course, nobody knew that just a month following the warnings that WannaCry would hit, but failing to patch systems left many organisations open to attack.
"If I'd come to you in April and said there's going to be a massive worm, it's going to be infecting with ransomware, how do you protect yourself against it? Everyone knows how to protect against that," said Samani, referring to how patches would have been prioritised.
"I understand there are business pressures which are that patching and updating systems isn't necessarily simple to do, but yet we all know how to have prevented these attacks, so let's not over-complicate the issue," said Samani.
Making security your problem
What can potentially help is to personalise the issue: it's all very well telling users that they should follow a particular company policy in order to ensure security, but in many cases, if the user doesn't understand why they have to follow a particular rule, they probably won't do it.
Explaining what threats could be waiting online and how to protect against them can go a long way towards boosting enterprise security.
"Someone going into a work event and learning about why it's important to have a strong password on their email or why not to transfer money when booking a holiday, all these best practices they learn for themselves become second nature in the business," said Sarah Martinez, communications director for Get Safe Online, an organisation which provides information and advice on online safety.
And while some might expect digital-native technically-savvy younger people will bring better security awareness with them as they become a bigger part of the workforce, research by Get Safe Online suggests it's people aged 18-24 who are most likely to fall victim to phishing attacks.
The organisation recently ran a 'training academy' in which it taught grandparents the skills they needed to carry out phishing tests on their grandchildren -- and by just using simple techniques, many of the targets fell for it.
While it wasn't a real cybercriminal on the other end of the email exchange, it demonstrates how easy it can be to fall for a cyberattack, especially if basic security principles aren't adhered to.
"It was cheeky, but the idea was to demonstrate we can't be complacent and think we're not at risk. This was easy: it was first-page Google search tech which we showed 65-year-olds," said Martinez.
This 'Scammer Nanas' experiment demonstrated two things: firstly, how easy it is for fall victim to online attacks, and secondly how people with only the most basic training -- even if it is cribbed from an online search -- are capable of ensnaring victims.
And while the premise of using grandparents as attackers might seem far-fetched, thanks to the rise of cybercrime-as-a-service, almost anyone who wants to dip their toes into hacking and online crime has the option to do so, even if they lack the skills.
"The challenge we have now is that my 12-year old daughter could launch a ransomware campaign," said Samani. "The technical barriers required to become a criminal working in the digital world has actually lowered."
"That's the challenge; we want to make it difficult from an ROI perspective, but the economy has made it so much simpler to do this," he added.
Ensuring that even the most basic cybersecurity procedures are adhered to the theory is that not only would it help to protect individuals and organisations against attacks, but even simple barriers could prove enough to stop some cybercriminals from conducting malicious activities because the time and effort required to conduct the attacks is no longer worth it.
Recent and related coverage
Online security now as big a job as surveillance and counterterrorism, says GCHQ boss.
Bringing third-party vendors or partners into your organization changes the threat landscape. Here are five best practices to protect your enterprise.
Despite warnings and international cyber-incidents, too many organisations still aren't bothering to apply security patches, a report has warned.
READ MORE ON CYBERSECURITY
- Online security 101: Tips for protecting your privacy from hackers and spies
- Internet of Things security woes: Can smarter consumers save the IoT from disaster?
- Darknet 101: Your guide to the badlands of the internet [CNET]
- After WannaCry ransomware attack, the NHS is toughening its cyber defences
- Security experts: Every business should have a security and encryption policy [TechRepublic]