How doubt can be an invaluable business asset

Before the digital age, information used to be scarce and came at a cost as print was the best way of sharing information non-verbally. With the rise of digital technology, sharing information came more easily and has become inexpensive (when there is a cost at all), meaning anyone can take advantage of digital media. Because of the ease by which information can be shared online, we now find ourselves bombarded by emails, notifications, pop-ups, links, and attachments wherever we go.

Within organisations, this bombardment of information can pose some security threats. The fast pace at which we receive information limits our ability to judge the quality and trustworthiness of the things we encounter online. Nowhere is this clearer than in the way that fake news can spread like wildfire. And the ones taking the greatest advantage of this inability to effectively judge information are cybercriminals.

Cybercriminals thrive on the urgency and threat that may be evoked through tinkered language choices. These criminals take advantage of fear and greed and depend on their victims to act before they have a chance to properly evaluate the validity and trustworthiness of digital information.

A good anti-virus program and email service provider will be able to filter out most cyberattacks as it analyses patterns and does a lot of the hard work for us. Unfortunately, though, cybercriminals are extremely inventive and regularly come up with new ways to bypass existing systems, leading to a constant back-and-forth between cybercriminals and cybersecurity companies.

Moreover, targeted attacks mostly go undetected by security software as they do not follow formulaic and general cyber-attack patterns. Because of the fluid nature of these attacks, gearing management and employees for every individual one is impossible. Therefore, some general practices are required to minimise susceptibility to cyberattacks.

The best common practice is applying a willingness to doubt all digital information. A willingness to doubt can serve to increase your cybersecurity and protects against targeted cyberattacks that pose as immediate threats.  In the digital economy, cybercrimes are often initiated through a false threat or promise that demands immediate action. The best safeguard against cyberattacks is to test information no matter the level of urgency it might demand.

For organisations, this means to be willing to doubt the information you and your employees encounter in the digital realm. A willingness to doubt serves to counteract the instinct to resolve issues immediately without complete information and helps guard against cyberattacks that may hurt your organisation.

Malicious attacks in the form of notifications, pop-ups, links, and emails abound in the online world. And while many of these attacks are done on mass-scale as a hit-and-miss approach, organisations are more vulnerable as they are just as susceptible to these attacks with the added threat of targeted attacks. This means that organisations need to be geared and informed about how these attacks appear in reality.

Cyberattacks rely on the sending and receiving of information and demand action on the part of the potential victim. Naturally, there are many instances that will not require a test of information. A simple thank you message on a running email thread by a colleague probably doesn’t require careful attention (although a quick “You’re welcome” would be a nice gesture). But urgent communication that asks you to download/execute a file, asks for sensitive information, asks for a transfer of funds, provides a strange link/prompt, must be placed under scrutiny at some level.

Cyberattacks also usually come up as unexpected events. If a request seems out of the ordinary, it should trigger an element of doubt. Common unexpected prompts relate to things like the discovery of a virus, the compromisation of an account, a request for immediate fund transfers with little explanation, exclusive and lucrative offers, or a ‘routine’ request to update personal information.

Cybercriminals are smart, and targeted cyberattacks are done with meticulous research and often contain personal information that can fool the unsuspecting victim into believing that the prompt is trustworthy. Therefore, it is always important to check and cross-reference sources.

For email, the first thing that should be investigated is the sender. Phishing attacks often appear as legitimate and use familiar-looking addresses and visual imagery such as logos to deceive users into thinking that it is legitimate. Inspect the sender addresses for misspellings and unusual symbols. Cross-checking the unusual emails with previous correspondence to see if the addresses match, is also a good idea. The same applies to other messaging services.

For pop-ups and notifications, see if the message originates from the expected place. For instance, a message saying a virus has been detected on your computer that originates from anywhere other than your anti-virus software probably contains malicious software or is an attempt to trick you into sharing sensitive information.

Always be suspicious of any shortened link or links with unverifiable/unknown origin. If unsure, rather try entering a trusted URL manually or contact the relevant party directly via a known and trusted channel to verify the information, links or emails you have received. Clicking on the wrong links, pop-ups or notifications, can easily lead to malware and virus intrusions.

Treat any pop-up or notification that originates from unknown sources with distrust, and always choose to reject rather than accept these alerts. Also, reject any prompts to allow access to system components (like your mic or webcam) or that asks for remote access to any of your applications unless you clearly and knowingly initiated the action that led to the prompt.

Treating all these kinds of digital prompts with suspicion can help you dodge a range of bullets (such as phishing, malware, virus, and spam attacks) that protect you and your organisation. Training your staff on some basic principles of the verification of information can only serve to increase your corporate security framework.

Reference list:

• https://digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams
• https://www.forbes.com/sites/forbestechcouncil/2019/01/07/phishing-why-we-should-teach-employees-to-be-skeptics/

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)