When writing about cyber security and implementing defensive measures, common feedback includes questions about the extent to which advice about how to improve personal safety and security can be used by others to inflict harm and carry out cyber-attacks. Clearly, the articles I am writing and publishing here are intended to provide insight into how attacks are identified and prevented through greater awareness. However, readers have expressed concerns, so I feel it does deserve some consideration here, as any information published could be a double-edged sword, not just cyber-security related.
- Spear phishing for example, did not come about because someone read about it and decided it was a good idea. It evolved from phishing as a means of improving the success hit-rate. However, if phishing had not been understood and widely publicised with warnings in the past, then maybe its success rate would still be higher, and a more targeted approach might not be happening the way it is today. The point being that as awareness increases, the effectiveness of scams decreases, but scams evolve into something different or more sophisticated, that people are not aware of.
- Years ago, as a pre-requisite to participating in a banking project, it was necessary to undertake anti-money-laundering training. At the end of the course I heard one of the delegates on the phone telling someone that he had just learnt how to launder money. Although I knew he was joking, he did have a valid point.
- Earlier this year there were media reports about scams involving fraudulent Universal Credit claims and how individuals are left facing high bills. Fraudulent agents representing them made bogus claims on their behalf in exchange for a fee upon receipt of financial grants. The information was brought into public awareness, identified the weaknesses in the system and how they could be exploited. Information was also publicised about how the civil service are currently unable to cope with the situation. To what extent does this information encourage further fraud to be committed?
- A locksmith needs to be able to get into someone’s house and replace the locks if the keys are lost or stolen. The information and training required to be able to do this as a profession could just as easily be used to commit crime.
In conclusion, I don’t buy into the argument that a security blog reduces security in any way at all. Security blogs and news media reports on real-life issues need to be addressed through greater awareness and the implementation of countermeasures. Whatever cybercrimes and fraud were likely to take place, would probably have happened anyway. Crime comes first, followed by countermeasures.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.