In private — and usually anonymously — the companies producing anti-malware software begrudgingly admit that, most of the time, the criminals are winning the game. However, they’re not winning because firewall and anti-malware software is ineffective; they’re winning because computer users are negligent with preventing cyber attacks.
According to a report released in April 2014 by Verizon Communications, hackers will successfully gain access to protected corporate computer networks 90 percent of the time by sending phishing emails to just 10 employees. (Phishing is an Internet scam in which a criminal sends someone an email that looks like one from a legitimate organization, in order to surreptitiously plant spyware on a computer, or trick the email recipient into divulging sensitive information.) In other words, nearly one in 10 employees is careless enough to fall for a phishing ruse and click on an attachment in an email that a more careful person would instantly regard as suspicious. According to the report, two-thirds of the electronic espionage cases it examined involved phishing.
Phishing is just one way in which users help criminals gain access to computer systems. Another common way is when users or IT support staff fail to install the latest software security upgrades, thus leaving their systems exposed to threats. Few computer users can claim to be ignorant of the importance of this practice, yet software manufacturers regularly report that users are amazingly lax about it. Some put off installing upgrades “to a more convenient time.” That’s dangerous because most upgrades are released to address immediate security issues, so any delay in installing them leaves the system vulnerable. It’s also dangerous because, according to experts, many people who postpone installing upgrades forget to install them later.
The third reason criminals succeed in accessing computer systems is that users or IT support staff configure the systems incorrectly through carelessness or lack of proper training. Suppliers of security software regularly report that this is one of the biggest and hard-to-address problems, especially for corporations. When a system is breached by malware, it’s often difficult to identify how malware gained access, and even more difficult to identify the person responsible for the breach of security. Indeed, malware can access a system even when all security measures are fully up to date and set up correctly. New malware can get into a system before the software patches to counter it have even been written — before anyone can do much about it.
The lesson is clear: Just as your home’s locks, alarms and cameras can’t guarantee 100 percent protection from burglars, neither can a user and the best software fully protect a computer system from criminal access. The best approach is to keep all software fully up to date, install reputable anti-virus programs, configure firewalls carefully, avoid obscure websites and never open suspicious email attachments. The criminals probably will decide that it’s a lot simpler and more profitable to switch their attack to less protected victims.