Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: MFA may be worth Sweet FA, cybersecurity bootcamps may not get you a cybersecurity job, what an Enduring Power of Attorney may teach us about the advisors we trust, and crypto continues to provide plenty of reasons why TradFi is also MoreSecureFi.
This week’s action: Remind staff why their password and MFA security codes are just like their toothbrush.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: MFA is worth Sweet FA if the human shares the security code
If you regularly read Cyber 3-2-1, you know I constantly remind you to set up multi-factor authentication wherever it is available. It is one of the most significant security improvements that you can make. According to Microsoft, 99.9% of account compromise attempts fail when MFA is in use.
A recent article from TechRepublic reminds us that MFA is worth Sweet FA if you share the MFA code with someone. The article describes a recent attack discovered by Cyble which uses automated bots to call people and to try to fool them into thinking the call is coming from their bank or other account provider so they will reveal their MFA code.
This is not a straightforward attack, and it requires some well-timed coordination by the attacker. But regardless, it will ALWAYS fail if you remember to NEVER share your password or security code with ANYONE!
2: Cybersecurity bootcamps may not be enough to get you a cybersecurity job
The Wall Street Journal recently reported on a study that identified an ongoing gap between what US cybersecurity bootcamps train students to do and what cybersecurity employers need them to be able to do from Day 1.
The article reports that 2.7 million cybersecurity jobs remain vacant around the globe due to a skills shortage. Despite this, it can take bootcamp graduates between 6-12 months to find a cybersecurity job. According to ISACA, ‘there simply are not enough entry-level jobs in the market”.
So, what’s the deal? Companies are crying out for cybersecurity skills, and yet people with skills don’t find it easy to get jobs.
Many organisations already operate placement programs for college kids – It’s how I first came to Dublin and ended up staying with my employer for 15 years after I graduated. If you have a cyber vacancy, could you lower the bar and train someone who has the basic skills and right attitude (but no relevant experience)? In return for your investment, wouldn’t the trainee be far more loyal to your organisation. And that trainee could train next year’s trainee, creating a little in-house cybersecurity expertise factory!
I’ve been talking to the team in CyberQuest about this challenge, as they deliver a range of training solutions for those looking to get onto the cybersecurity career ladder. If you’re interested in hearing more from me and CyberQuest on the topic, and you’re free at 3pm on Friday, July 8th to attend a webinar, let me and I’ll send you an invite.
3: Be careful who you trust for advice
I’ve recently been helping someone to set up an Enduring Power of Attorney (EPoA).
What’s an EPoA, I hear you ask? Well, my non-expert view is that an EPoA reduces the stress of a scenario that none of us wants to consider: When a person is still alive but is no longer able to manage their own affairs or to make decisions for themselves. As an EPoA provides a legal basis for one or more people whom they trust to make decisions on their behalf.
So, what’s that got to do with cybersecurity? I would have thought very little.
But based on the opinions we’ve received from two experts, I think there are some lessons here on how any of us (including me) should be careful about the advisors we pick and the advice they give.
Read more: https://codeinmotion.ie/epoa
1: $36 million
The value (in US Dollars) of cryptocurrency that was transferred to the wrong account (known as a ‘wallet’) due to a copy and paste error.
But it’s OK because the developers of the platform plan to rewrite their code to transfer the money back to the correct wallet.
As these may be the same developers who made the copy and paste error in the first place, I may choose to leave my money in an old-school bank, laden down with all of their boring and slow change control and testing procedures.
As a former software developer, I recommend that we never put all of our faith in software developers.
2: $1 billion
The value (in US Dollars) of cryptocurrency stolen from 46,000 people in the US since the start of 2021, according to the US Federal Trade Commission (FTC). This is about 25% of all the dollars reported as lost to the FTC. “The regulator further explained that nearly half the people who reported losing crypto to a scam since 2021 said it started with “an ad, post, or message on a social media platform”, with Instagram as the leading platform reported by the victims, followed closely by Facebook.
1: Remind your staff that their password and MFA codes should never be shared.
Following up on the TechRepublic article that I mentioned earlier, MFA is a key security defence. But the humans operating this defence need to be reminded that the MFA security codes must not be shared with anyone.
Just like a toothbrush, they’re not for sharing.