The most Microsoft, Google, or any of the tech companies can do with their technology is try to detect malware and phishing sites, and stop them from talking to the internet—blocking up the door to the offtrack-betting basement. This is called “blackholing.” But because spinning up a hundred basements on the internet isn’t much harder than spinning up one, leaving it to tech companies won’t work. The victims are the weakest link in phishing, and the tech companies can’t put out reliable updates to change or prevent user behavior.
“We do invest a lot in technical fixes like better threat detection, better protection of networks, efforts like AccountGuard and Defending Democracy, and encouraging two-factor authentication for high-value accounts,” Herley says. “But there’s also an education component; we’d love protection to have zero asks of the user, but that’s not always possible.”
AccountGuard and Defending Democracy are offerings from Microsoft aimed at its most vulnerable (and political) clients, but even then, most of the offerings consist of recommendations, best practices, webinars, and notifications: attempts to patch the human.
Many security-professional and media recommendations exhort eternal vigilance, paying attention to every detail. This is terrible advice. I’m a professional with years of experience in this space and I don’t bother to inspect my emails or carefully read all my URLs: I have things to do. As a strategy for the constant level of attacks in modern email, this approach has failed, even in dealing with the amateurish mass-phishing attacks we’ve seen over the past 10 years.
Spear-phishing, especially political spear-phishing, is even harder to catch with vigilance. The inconsistency of security advice has contributed to the disaster with ideas that are hard to implement, don’t make sense, and don’t work, but that security and IT departments yell at people with all the fury of revivalist preachers. It’s exhausting.
Developing a few good habits based on how this computer you’re using works is relatively easy and more effective than paranoia. Turn on two-factor authentication where you can, where it’s available on sites you use. This includes things such as RSA tokens, Yubikeys, Google Authenticator, and SMS verification codes, which create something needed to log in beyond a password and a username so that if your username and password are stolen or leaked, attackers still can’t take over your accounts. Apply software updates. Or, better yet, Herley suggests letting your computer do it for you. “I’d say use automatic updates … We invest heavily in [fixes] as soon as we figure out things are wrong. You want all that goodness working for you.”
Set up regular backups that require minimal effort from you. “You don’t have to worry as much about ransomware [or theft, or disk crashes] … if you know you can always get your stuff back,” Herley says. Use long, complex, and unique passwords, but make it easy on yourself. “Write them down or use a password manager,” Herley says.