I HAVE ALWAYS LOVED APRIL FOOL’S. As far as I can remember, from my early childhood memories until today, I never lost the habit of doing some kind of silly harmless prank. Some were reasonably amusing, like when I posted a (obviously fake) check-in at the top of Mount Everest and informed a client that I would be late for an important meeting. Other instances led me to somewhat complicated situations, for example, when I changed the date of my birthday in social networks to 4/1. Aside from an entire day of online congratulations, (that was the point of the joke, by the way) at the end of the day, I discovered that my colleagues decided to throw a surprise party at work. Some of them were not entirely happy to know that it was all a joke, but in the end, we had a good laugh.
You may be wondering: What does this have to do with cybersecurity? Well, the fact is that over the years (and those small pranks had a part in it) I have noticed that during April fool’s people are far more skeptical regarding what is published on the internet. Is Google will print and send a hardcopy of email to your home? Oops, this must be a lie. Will Google launch a “pet-friendly” search engine for your cats and dogs? Of course not! Will Subway launch a line of “subzero” ice cream including tuna, chicken tikka and marinara meatballs flavors? That is quite funny, but no truth in it.
And that’s it! For one day we adopt a critical vision and skeptical attitude that despises the idea that “if it is on the internet must be true! “. Now I ask, why not adopt this same posture when we receive an “email from the bank” asking to revalidate your password in order to ensure your account will not be blocked? Why not acting the same way when a Word or Excel file, downloaded from a non-so-trustworthy site, asks to enable macros? Why, as Bruce Schneier used to say, does the user has to pick dancing pigs over security every time? With the attitude April fool’s approach this we can change that!
Good information security depends on PEOPLE, processes and technologies, most of you have heard time after time that “people are the weakest link”. Unfortunately, this statement has remained a mercilessly truth during the last couple of decades, with very little sign of improvement. What is the point of acquiring top security solutions, without implementing sound processes and having employees trained and fully aware of their security responsibilities?
At the end of the day, when it comes to people, what we really need is to ensure is the balance of knowledge, skills and attitudes. Again, if replicated all year long, this skeptical attitude we use during Aprils fool’s would have a spectacular result against threats that has been causing nightmares to security professionals: From any form of social engineering, phishing, spear-phishing, ransomware infections and most other forms malicious codes, the list is extremely large.
May April fools’ last year long! It is my most sincere and humble wish!