I must descend from nomads. Immediately after being fully vaccinated, the very first thing I did was try to figure out where I could go and honestly anywhere would suffice – I just wanted to go somewhere. I had been trapped in my house and hadn’t traveled more than ten miles away in over 14 months. I explored the possibility of taking a trip to an exciting locale like Buffalo or Pittsburgh – pretty much anywhere that I could go that would be something other than eastern Massachusetts.

Now, before you start telling me that I could have traveled during the quarantine like millions did, you should know that I’m a germaphobe and I always have been. I do not so much like cleanliness as I like sterility. I do things like wipe my tools down after I use them and shower when I get home off an airplane, and I have since before the pandemic. My wife told me that I’ve been prepping for a pandemic since I was in college, and  she’s not wrong. I guess the point I’m trying to make is that during the pandemic I have been nervous going to the grocery store – there was no way I was getting on a plane. In fact, I started calling them “murder tubes” mid-pandemic. You’d have to drag me on by physical force.

Of course, once I got some of that sweet, sweet Pfizer in me my nomadic tendencies resurfaced, and I started itching to travel, so I started checking out options. Ultimately, I didn’t need to take a 24-hour trip to beautiful Trenton, New Jersey to get away because I had some VMUG business to tend to in Washington, DC that ended up being perfectly timed to after I was two weeks past my second shot. Despite being vaccinated, I was still nervous to fly – my preferred airline had stopped leaving the middle seat empty – so I stocked up on hand sanitizer and N95 masks and headed to the airport.

I got to the airport and I was starting to feel pretty good when I saw the nicely spaced lines at check-in and security. I breezed through security and was feeling okay about my decision to travel – and then I turned the corner and realized that I was in for a rough day. People seemed to be unmasked  everywhere! Multiple people were standing around – no mask at all - just leisurely enjoying a coffee and reading a magazine. Over on one side, a woman was screaming at her phone, totally absorbed in her FaceTime video chat with her mask down below her chin. One older gentleman was trying to see if he could fit an entire hoagie in his gruesomely stretched mouth. I wish I could say that my experience on the plane was better, but it wasn’t. It seemed like people couldn’t wait to bust out their three-course dinner and eat it slowly while watching TV entirely without masks for the duration of the short flight.

And that’s when it hit me; I started realizing that the weak link wasn’t the processes and protocols the airport or the airlines had put in place. It was the people who weren’t following them or taking them seriously. Despite the very best efforts and signage, people weren’t giving each other 6 feet of space. I saw one person remove a piece of fabric cautioning people not to sit there and sit down. Sometimes it seems reasonable, but other times I saw people lean around the plexiglass and pull their mask down to speak to the airline employee – a brazen disregard for guidelines and best practice and frankly, the health of the gate agent.

It didn’t take long for me to realize that I’ve seen this before – and as an IT pro, so have you. It’s the exact same reason why we are still so worried about phishing, ransomware, and other security threats even though it is generally known how to prevent these things from being damaging. It’s because getting people to follow directions - no matter how simple and clear - is extraordinarily challenging. So challenging, in fact, that despite billions of dollars of investment, leading edge research, and the best AI algorithms we can throw at it – James in accounting can still torpedo the entire organization by clicking the wrong link in a fake email from Best Buy. And while it’s easy to blame James (certainly I have blamed a great many things on James), is it James’ fault that we can’t secure the organization - or is it ours?

I am aware of several organizations that have a policy that holds employees responsible should they be used as a vector of infection or breach. For instance, if you surrender your credentials via a phishing message, you can be officially disciplined for failing to keep the organization secure – the same way you would be if you let someone random you don’t know follow you into a secured building. These policies attempt to do something that isn’t happening organically: make the employee care enough to genuinely strive to do the right thing. The idea is that absent of consequences, why would anyone change their behavior or allow themselves to be inconvenienced? So, by creating consequences - and potentially harsh ones – you force the employee’s hand into caring.

The problem with this is that many modern spear-phishing messages are really quite well done and can fool a great many people – including those that easily pass the “reasonability test.” If a reasonable person would be duped by the message and is in a very real sense the victim, how do you blame them and hold them responsible? Isn’t that a bit like fining someone who had their house broken into despite having dead bolt locks? I certainly understand the company’s position that they need everyone to be vigilant, but it seems like these policies can create an awful lot of collateral damage.

Of course, the inverse – providing no incentives – has issues as well. Let’s go back to the airport for a second. As I said, there were a great many people who were unmasked – some of them standing right in front of a sign professing the law and the importance of wearing a face covering in an airport. None of them had any consequences for this; they were all (as far I could see) allowed to board their flight without issue. With no consequences at all, what incentive do those not inclined to follow explicitly stated guidelines and procedures have to change their behavior? Without delving into a debate on wearing face coverings (a topic which I have strong opinions on), let’s look at some of the impact around social engineering and cybersecurity. It seems to me that much of this ultimately resolves down to an individual caring enough to change their behavior despite any inconvenience.

I am aware of several individuals who have jeopardized security due to logging into a fraudulent site in order to “renew their account” so their email didn’t get deleted or some other phony scare tactic to get the victim to surrender their credentials. In many of these cases, when the victim was interviewed they stated that they replied because if it was real, they didn’t have time to deal with getting their email deleted. This seems to have two big takeaways for me. First, it means that the IT organization as a whole has a poor relationship with that individual. Anyone who thinks that IT would just up and delete someone’s mail account if they don’t somehow renew it within 24 hours clearly doesn’t believe that IT is there to help them be successful at their job. Second, it shows that they are prioritizing their time and that spending the few minutes to fully vet that message seems less desirable than the potential downstream effects of surrendering their password.

So, what do we do about any of this? We have people who don’t care enough to incur the inconvenience of doing the right thing and who often face no real consequences for deviating from actions that would protect themselves and the entire company. We also have a real need to get them to take responsibility for protecting themselves and others, preferably without using outright hostility directed at our own employees. The only way I am aware of to bridge that gap is education, which likely has to be reasonably intensive. Perhaps more importantly, I think we need to harmonize our message around how to not fall for a scam. Sure, we may have corporate trainings and email blasts that go out, but how often are people reading and really absorbing what they say? We may even have some sort of approved social engineering penetration test where we see who fell for it and provide additional messaging to those who do, but again – is it making a measurable difference? It doesn’t seem like it if you read the headlines about ransomware attacks on pipelines and municipalities.

Unfortunately, the wider population still thinks that “hacking” is something that happens in some sort of neon-lit tech bunker with an eccentric mad scientist staring at five monitors, all scrolling indecipherable code at 400 lines a minute, until the genius deciphers it and after a few keystrokes has stolen your identity. It’s much less romantic to realize it’s someone sending out millions of emails reminding people that the TV they didn’t order is about to be charged to their credit card unless they verify the number. So, there’s a disconnect between the actions our users are taking and what they perceive the risk to be. I’ve heard multiple people say after they’ve been scammed that they didn’t know an (email/phone call/free download) could cause so much harm. And I think that’s the real issue here: people don’t really know.

Sure, for those of us that have spent the last decade or longer paying attention to this stuff it seems almost insane that someone wouldn’t get it, but they clearly don’t – because if they did, they would certainly want to do the right thing more often than they are doing right now. They question that I don’t have the answer to is how we educate them. How do we as an entire industry get the message across? The University that I work for has been doing a pretty good job at this for a while and we keep getting better – but we’re far from where we need to be: 100%. I don’t have a better answer here, but I do know that it’s not entirely up to IT to figure it out. This is something that we all need to participate in and get information security literacy to be fundamental. Too much economic activity is happening digitally for this to be an afterthought any longer.

Ultimately, it seems to me that IT security - like pandemic mitigation - is up to everyone’s personal responsibility and actions and that we all need to participate in. An individual’s actions when responding to an email can most assuredly impact the rest of the company – and so it’s up to each person to ensure that they take the appropriate action. We all need to care enough to think through what we’re doing, verify links, and reach out if we aren’t sure if everything is on the up and up. Because if everyone at the company isn’t doing their part, then no one at the company is really safe.

Questions for reflection:

• Have you or someone close to you ever fallen for a scam that was well-crafted and hard to detect? How about an easy-to-spot one?

• Do you think policies that punish the employee for opening the door to a breach are fair? Why or why not?

• How do we do a better job of educating everyone and getting them to understand the downstream consequences of their actions even if they don’t feel personally them?