Credit: Stephen Sauer
Cyberattacks are a growing threat facing businesses, major cities, and political campaigns. Cyber risk ranked as the top business concern for 2020, according to a recent survey of more than 2,700 global business leaders and security experts.
The attacks are always costly, sometimes embarrassing, and for critical urban infrastructure, they can be life threatening. But cybersecurity isn’t necessarily a high-tech or complicated computer science matter, according to MIT professor Lawrence Susskind, co-director of the MIT Cybersecurity Research Project in the Science Impact Collaborative. Attackers use “social engineering” — non-technical methods to manipulate people into clicking on infected links or websites or giving up confidential information.
To keep them out, Susskind teaches “defensive social engineering,” or creating an organizational structure and culture around best security practices and training employees to follow them. It can be as simple as teaching people not to open emails from unknown and unverified sources. The defensive part is key, he said — organizations should not wait until an attack happens to take action.
Defensive social engineering is the basis of the MIT Cybersecurity Clinic, which is a new course offered for the first time this spring. The course focuses on critical urban infrastructure — city transit agencies, energy facilities, police departments, and other public services that currently face thousands of attempted attacks each day. When those organizations are attacked, lives are at stake — a hacked police, hospital, or emergency services system could hinder urgent responses. MITx will be hosting four two-hour online training programs that will allow anyone to be certified as a Cybersecurity Vulnerability Assessor.
Most public agencies do not have recommended protocols in place, Susskind said, even though defensive measures are far less costly than an attack and often don’t cost that much at all.
“People need to be educated more broadly in any setting,” Susskind said. “They need to control their password. They need to control access to company or agency networks. They need to understand that includes being very wary about what email attachments you open.”
While stakes vary, the cybersecurity course starts with these important rules that can — and should — be used at any organization.
Know the threat
Susskind said the biggest cyber threat comes from phishing, in which emails or fraudulent websites — often disguised as coming from a trusted source — are set up to gather personal information and release ransomware. Often phishing attackers mimic trusted sources. Successful phishing attempts allow hackers to encrypt an organization’s data with ransomware and demand ransom payment for the information to be released.
Most attacks are state-sponsored, Susskind said, from countries including Iran, North Korea, and Russia. Their goal is to cause chaos.
Put someone in charge
Someone in your organization should be in charge of cybersecurity — a chief information security officer (CISO), for example, who makes sure everyone is trained, everyone is following the training, people know what to do if they suspect someone has intruded into their system, and other steps. The employee should be in the C-suite, Susskind said, so they have the power to make tough decisions and enforce mandates.
Back up information regularly
Without backups, restoring data after a ransomware attack can require paying a ransom or costly data reconstruction. Regular backups can prevent those costs. Susskind pointed to the city of Baltimore, which declined to pay $80,000 in ransom after being hacked in May 2019. Costs of restoring data and recovering from the attack are estimated at more than $15 million.
Know your critical assets
Companies, agencies, or cybersecurity specialists should take the time to identify critical management assets before an attack happens, Susskind said, and take efforts to protect them. Knowing where the most important data are stored can save time and effort in case of an attack, and help make decisions about the value of the data.
Have an emergency response plan
Your organization should know what to do in case of a cyberattack, including what authorities to contact. Susskind recommends being in touch with the federal agencies like the FBI and the Department of Homeland Security ahead of time, and creating a response plan detailing steps to take in case of a security breach. There should be a protocol for shutting down systems, and someone high up in the company needs to have the authority to order a rapid shut down.
The response often includes shutting down communication, so there should be a backup communication plan in place, Susskind said.
Install security updates
One of the most significant security steps is also one of the simplest, Susskind said: Companies should deploy updates or patches provided by software providers when there’s a security problem. Attackers often know about weak areas the patches are meant to fix and they can become the focus on an attack.
Check your suppliers
Defensive social engineering shouldn’t just apply to in-house staff. Companies also need to take cautions with third-party suppliers or visitors. The New York City police department was recently infected with malware that came through a vendor with an infected laptop. When it comes to an outside party, “Review their cybersecurity rules,” Susskind said. “Don’t have any? Bye.”
Keep everyone on board and up to date
Susskind said there are some main points people should keep in mind about defensive social engineering. One is that cybersecurity is everyone’s responsibility. “Every single person in an organization has responsibility for cyber security in that organization,” Susskind said. “It only takes one person to be foolish or not paying attention, open one attachment, and that’s it.”
Another is that you don’t need to be a computer scientist to employ these methods and reduce risk.
“It really doesn’t hinge on a new level of more sophisticated encryption,” he said. “How about just changing everybody’s passwords regularly? How about not taping them to people’s machines in the open office?”