WJ Editorial: Cyber Safety Awareness Is Part of Safety Culture
In a recent maritime cybersecurity presentation, Joshua Shreve, a cybersecurity specialist with the Coast Guard’s Sector Ohio Valley, said that 66 percent of organizations report being hit by ransomware in the past year and that almost 75 percent of companies surveyed believe a ransomware attack would be a “death blow.”
“Passwords are like underwear,” Shreve memorably said. “Don’t let people see it, change it very often, and you shouldn’t share it with strangers. I’ll add to that. Don’t leave it out on the counter.”
Cyber experts are saying that 2024 is shaping up to be a very bad year for cybersecurity. In July, AT&T reported two of the most massive breaches in its history, with “nearly all” of its customers—about 110 million people—affected over a six-month period. In March, a stolen data broker dumped online a cache of 73 million customer records to a known cybercrime forum, some three years after a much smaller sample was teased online.
These sophisticated cybercriminals offer such massive data caches at auction on the dark web, where they are bought by other cybercriminals who use the data in various ways that may take years to surface.
Rumors suggested AT&T may have paid a ransom in one of these cases. In ransomware cases, where sophisticated cybercriminals lock down company data or freeze operations and then demand a ransom to unlock them, they often know how to calculate their victims’ pain points—exactly how much to demand to make the problem go away. It’s believed that many companies quietly pay without acknowledging the payments publicly.
While the world of ransomware, cyberattacks and the dark web is sinister and often opaque, what companies can do to increase cyber safety is clear. Does your company have at least one person who always knows exactly who has access to what level of data? Does your company require authorization on every device every time it is used, whether through a smartcard or biometric scanning such as a fingerprint or facial recognition? These are the kinds of measures Shreve recommends.
Those measures, while necessary, are not sufficient. According to Terranova Security, more than 75 percent of phishing attacks still come via email—and increasingly, through texts. A Stanford University study in 2020 warned that 88 percent of data breaches are caused by human error and noted, “Human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.”
This is discouraging but also encouraging news. It means that individual safety habits and awareness matter. Individuals are the first and most important line of defense.
For years, cyber experts have reiterated that employees develop the same habits of awareness. Phishing emails (and texts) can spoof genuine email addresses, including those of your boss, coworkers or family members. They may even claim to be from security firms or financial institutions themselves. If an email feels off, don’t open it—especially if it tries to use urgency to get you to offer data, transfer money or perform some action.
