When writing about information security and implementing defensive measures, common feedback includes questions about the extent to which advice about how to improve personal safety and security helps others to inflict harm and carry out cyber-attacks. The articles I am writing and publishing here provide insight into how attacks are identified and prevented through greater awareness. However, readers have expressed concerns, so I feel it does deserve some consideration here, as any information published could be a double-edged sword, not just cyber-security related.
- Spear phishing, for example, did not come about because someone read about it and decided it was a good idea. It evolved from phishing as a means of improving the success hit-rate. However, if phishing had not been understood and widely publicised with warnings in the past, then maybe its success rate would still be higher, and a more targeted approach might not be happening the way it is today. The point being that as awareness increases, the effectiveness of scams decreases, but scams evolve into something different or more sophisticated.
- Years ago, as a pre-requisite to participating in a banking project, it was necessary to undertake anti-money-laundering training. At the end of the course, the joke among delegates was that we just learnt how to launder money.
- Earlier this year, there were media reports about scams involving fraudulent Universal Credit claims and how individuals are left facing high bills. Dishonest agents representing them made bogus claims on their behalf in exchange for a fee upon receipt of financial grants. The news increased awareness of the issues, how the civil services struggled to cope with the situation, and how criminals exploited the system weaknesses. To what extent does this information encourage further fraud to be committed?
- A locksmith needs to be able to get into someone’s house and replace the locks if the keys are lost or stolen. The same information, training, knowledge and experience is adaptable to the committing of crimes.
In conclusion, I don’t buy into the argument that a security blog reduces security in any way at all. Security blogs and news media reports on real-life issues need addressing through greater awareness and the implementation of countermeasures. Whatever cybercrimes and fraud were likely to take place, would probably have happened anyway. Crime comes first, followed by countermeasures.
Robert is an information security consultant with over 20 years of experience across various organisations, both in the United Kingdom and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Contact Robert directly through Linked In.