Say we’ve set a long-term goal to accumulate a nest egg of a million—or more—dollars. Do we develop a strategy to reach our target with detailed budgets, high-yield savings accounts and diversified investments? Or do we spend freely, hoping to win the lottery and coast to a comfortable retirement? Of course not. Taking home that big check is 1 in 300 million odds. So, why would we take the same risky gamble with our approach to cybersecurity?
Like financial planning, properly safeguarding our systems against potential attacks takes time and effort. We can’t afford to skip over proven cyber hygiene practices to chase after the improbable, or in this case, perceived digital risks that either won’t affect us or are overblown trends. It begs the question, “When it comes to cybersecurity, what threats should we realistically worry about, and which should we ignore?”
Phishing: The flashy headlines about potential artificial intelligence (AI)-generated attacks would make us think otherwise, but basic phishing remains far above the most common cybercrime. Designed to look like they’re from trusted or reputable sources and mainly still manually crafted by attackers, these scams attempt to deceive us into divulging sensitive information or downloading malware, generally through links or attachments. These social engineering attacks prey on our emotions and natural tendencies, such as the desire to be helpful in times of crisis, to elicit action.
Unpatched vulnerabilities: Far too often, we’re concerned about implementing elaborate security measures and don’t even bother to patch and upgrade our software and operating systems (OS). That’s like installing cameras and alarms but leaving the front door open. Cybercriminals can exploit these weaknesses within our programs and products remotely, often through malicious macros (i.e., a computer virus) that run quietly in the background of legitimate applications. Among numerous other methods, attackers may also create entry points into our systems with malicious browser extensions that coerce action with pop-ups and scareware.
Zero days: This is an industry term for unpatched or unaddressed security vulnerabilities that hackers can leverage to breach systems. In the past, nation-state actors primarily used zero days for unique or elaborate attacks. That’s no longer the case as the world’s reliance on computing grows and technology companies roll out more complex, expansive software to meet consumer demand. Fortunately, we’ve also seen a rise in vulnerability research, where individuals search for and report flaws that could otherwise expose our OS and applications to misuse.
AI: This is a case of all hype, no bite—for now, at least. AI systems currently in the spotlight include machine learning (ML) that can adapt code to model victims’ actions and deter prevention or detection; large language models (LLMs) that can interact with cyber victims (e.g., attacker call centers) or more quickly design malicious code; or generative (e.g., deepfakes) that can be used to create copies of human likenesses and voices for phishing campaigns. There’s a lot of discussion about possible cybersecurity risks AI will pose, but it’s important to remember this technology is still in its infancy.
Novel cyber threats like AI-generated deepfakes grab attention, and understandably so. But just like we shouldn’t bank on the lottery, we shouldn’t spend all our time chasing the improbable in the quest to safeguard our systems. Instead, we should focus on cyber hygiene to counter the more likely threats. That includes knowing the technology we own and use; investing in business-grade hardware, software and services; using multi-factor authentication, particularly for cloud service and remote access; addressing known vulnerabilities with patching and risk management measures; and, as needed, calling on trusted cybersecurity experts to amplify our efforts. Bolstering our defenses with cyber hygiene takes planning and resources, but it’s the safest bet to protect ourselves against potential attacks.
Editor’s note: Christopher Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm providing tailored cybersecurity, IT and security compliance services. The opinions expressed are those of the author.