Con artists have been around for ages, and in 2019 they’re using pretty much the same tactics they did in 1919—and 1619. They’re preying on people’s greed, their altruism, their curiosity, their dreams and aspirations—in short, everything that makes them human.
It’s just that now, with the rise of the internet and an expanding cyber-world that seems to be permeating more and more facets of our daily lives, they have more opportunities.
“The most secure computer is a computer that’s turned off, with no human being touching it,” says John Harmon, Regional Vice President of Federal at Elastic and an instructor for Georgetown University’s Certificate in Cybersecurity Strategy. In other words, the weakest link is still the human one.
Making the Case for Cybersecurity
Harmon, who spent seven years as an analyst at the National Security Agency, will be teaching two courses this winter: Making the Business Case for Cybersecurity; and Threats, Vulnerabilities, and Social Engineering in Cybersecurity.
The six-course certificate is designed for students with differing degrees of experience in the field. This includes those who do other types of work for their organization but want to move into cybersecurity; people already involved in cybersecurity who want to learn more technical skills; and other kinds of professionals, such as lawyers, who don’t deal with cybersecurity themselves but work with people who do.
Why is it often necessary to make the business case for cybersecurity? In an age of cyber threats foisted by individuals, hostile nations, and radical groups, that need might seem self-evident; and, for security-related businesses, that’s certainly true. But for other enterprises, convincing the owners or managers to invest in cybersecurity can be a harder sell.
“If you work for security in a company in which security is not its core business, you’re costing the company money,” Harmon says. “Your existence is a cost.”
Then why should such a company invest?
“Cybersecurity is very similar to life insurance,” Harmon says. And like life insurance, “the budget a company spends on cybersecurity has to be comparable to the risk that they face.”
Thus, a small business would tend to have significantly lower security costs than a large one. Among the major corporations attacked in recent years have been Target and Equifax, each of which was hit with significant court settlement costs in recent years ($18.5 million for Target, $700 million for Equifax) after hackers gained access to the personal data of millions of consumers.
‘Phishing’ and ‘Spear Phishing’
Several years ago, operating systems such as Windows were targeted for attacks. “Today, that’s not necessarily the case,” Harmon says. “Most of the operating systems are fairly secure, but a lot of the things they’re targeting now are applications, like browsers.”
Social engineering—defined as attacks that trick users into acting against their own self-interest—is on the rise, Harmon says. Among the most popular attacks is phishing, whereby the attacker typically sends multiple fraudulent emails that look like they come from a real business or organization. The goal is to obtain recipients’ personal information by getting them to click on a link or be fooled into divulging things like passwords or financial information. A version of the practice called “spear fishing” employs a similar scam but customizes the emails for a specific audience, thereby boosting the scheme’s success rate.
The job of a cybersecurity director is both to make a business’s or an organization’s computer system less vulnerable to attack and its workers more adept at spotting online fraud. Advanced technical knowledge is useful, but those in charge of cybersecurity don’t have to be technical experts themselves. More importantly, they need the requisite technical knowledge, big-picture perspective, and communications skills to act as a liaison between those specialists and company leadership.
“Being more technically skilled than the people who work for you is atypical, not the norm,” Harmon says.
What’s more important—what Harmon wants students to come away with after completing the program—is “an appreciation for what cybersecurity does for the organization they work for and an ability to articulate the business case and advocate for it.”
“You can’t advocate for your team,” Harmon says, “if you don’t have an understanding of what they’re trying to do for you.”