A week ago I pontificated at the world about the Pokémon Go! craze. It’s been an interesting study in human behavior, and not all of it good. First off, the concerns about the overreach on information have been alleviated by updates. As I predicted, this was a programming error, a lazy overstep, and that shouldn’t have shipped but did. I’m sure that most developers have had a moment when they realized “I shouldn’t have shipped that.” Including me.
As recently as last week. It seems that the locals that I witnessed wandering into traffic were not an isolated occurrence. There have been reports of traffic injuries, walking into buildings and falling off of cliffs. Here I thought that Apple Maps was the only GPS based app that caused people to walk off of cliffs. We have reports of muggers using the app to either lure or locate victims, which shows both the creativity of the bad guys and the world-excluding hyper focus that this game engenders. I will admit to having my own periods of world-excluding hyper-focus, but I usually am in my lab working on a project, reading a book, or playing Civilization 5 when I do it. I’m in a secure environment… Okay, a presumed secure environment, since you never know when ninjas will jump you in your own home.
However, one of the most worrisome trends I’ve seen is that organizations are connecting to the internet with the same level of “nothing will happen to me.” Organizations should be concerned because malicious parties are also cashing in on the phenomenon, with a number of apps that appear to be Pokémon related, but delivering backdoors and other nefarious payloads. People are not being careful, and they are falling for relatively crude manipulation techniques by the standards of modern phishing to get users to click on links and run programs. We know that this is easy to achieve, as evidenced by the number of clickbait-y headlines, that you won’t believe what happened next!
It is no secret that the biggest threat to your organization are the people in it. Human error accounts for a number of breaches including weak or infrequently updated passwords, phishing attacks, and just simple negligence. It was estimated that the average cost of a breach due to human error was $133 per record. Think of how many records your organization has, even if they only lost one tenth of the records in a breach, how costly did one human error just become? Seriously, though, this mainly serves to illustrate that people are their own biggest threat to themselves.
I don’t have a good solution for human behavior. I wish that I did. I do find it amusing that its games like this that are driving a lot of the research into human behavior and decision-making these days. There’s a huge body of research being done today on how to make people click on things, reliably, with minimum effort. So, moral of the story: users will do silly things that will happen to play into attackers hands, or otherwise put themselves at risk. The best way of dealing with it is to assume it’s going to happen, and to use tools to train your team and to build a culture of security in your organization.
There are applications that can test your teams with phishing attempts to see who takes the bait. There are also ways to detect where you are most vulnerable so that you can educate your team on the weaknesses and how to avoid falling into the trap of being another lost credential and another data breach.