BLOG | OFFICE OF THE CTO

Common Cybersecurity Awareness Myths

Sam Bisbee Miniatura
Sam Bisbee
Published October 03, 2023

As we enter Cybersecurity Awareness Month, we should prepare for the wave of common security myths and misconceptions, often amplified with good intentions but ill effects. These topics can be controversial even among seasoned professionals, so we will take a data-driven view and address the broadest business population.

That breadth is often the source of disagreement. Every business must have its own conversations on risk and acceptable loss, applicable threat models and likely threat actors, and how their environment is unique. The common thread though is data, expertise, and objectivity, not tribal knowledge, mimicking without understanding, and confirmation and survivorship bias.

We will tackle "the big three": clicking links in email, public Wi-Fi use, and "juice jacking" or the dangers of free USB charging for phones.

#1 Clicking links in email

Takeaway: Teach clear indicators of phishing and scams, but unrealistic advice like "don't click links" is unproductive-to-harmful.

"Safe use" awareness is powerful, helping employees use technology better while addressing common issues, but years of asking people to change fundamental behaviors like "don't click links" does not seem to be working. Verizon's 2023 Data Breach Investigation Report cites 74% of all breaches include the human element (not just email) and the Cyentia Institute's 2022 Information Risk Insights Study ranks phishing as a top three initial access technique across 18 of 20 sectors (ranked 4th in Information and Other Services).

Accidents happen, and even a well-intentioned and trained employee will click a malicious link over enough time. This is one reason security programs still invest in email and device security after years of cajoling users to use email differently. More concerning is the time spent on this topic in precious security awareness training, doing more harm by losing the audience's attention for lack of practicality.

Businesses must be more resilient than an employee clicking a link. Employees can help, especially for ground truth reporting ("see something, say something"), but mitigating this risk is the responsibility of security teams.

#2 Public Wi-Fi use

Takeaway: Public Wi-Fi is safe for use even in business contexts.

The belief persists that public Wi-Fi is less trustworthy or more dangerous than home or office networks. Yet there is no reporting on mass exploitation of public Wi-Fi, including from 2020 through 2022 with the spike in remote working. The Federal Trade Commission (FTC) warned against public Wi-Fi use in 2011 but in 2023 updated its guidance to reflect technical developments that make it safe to use.

Comparatively we do have laptop and device theft, like crime of opportunity in a public space, a more likely risk mitigated by investments in storage encryption, mobile device management (MDM), and lockout policies. An example subpopulation is the archived list of reported breaches of unsecured protected health information affecting 500 or more individuals from the Department of Health and Human Services Office for Civil Rights (OCR) showing 4.6K+ incidents of theft or loss of a laptop or other portable electronic device since 2009 affecting 345M+ individuals.

Meanwhile local network traffic continues its trend of security:

  • Google's "HTTPs encryption on the web" Transparency Report shows >90% encrypted traffic across Google, and widespread adoption of encrypted traffic by operating systems like Windows and Mac.
  • Let's Encrypt Stats on the Percentage of Web pages Loaded by Firefox Using HTTPS from Mozilla's Firefox Telemetry shows ~80% of global users' traffic is encrypted and ~90% of USA and Japan users' traffic is encrypted.
  • Google's "Email encryption in transit" Transparency Report shows >90% of emails to and from Google (Gmail) are encrypted.
  • DNS security functionality still has adoption challenges that are somewhat mitigated by the strong encryption support for app traffic and the ubiquity of VPN and equivalents for business managed traffic. DNSSEC adoption is low (~5% of .com domains secured per Verisign's DNSSEC Scoreboard) but took off in 2020 and has sustained growth. Similarly, DNS over HTTPS (DoH) is supported by operating systems and browsers.

Unless the device has network-facing services on it, which should be an extreme exception for user devices, public Wi-Fi presents little-to-no unique risk compared to any other Wi-Fi network. For those adopting a zero trust approach, public Wi-Fi is an excellent example of never trusting the network—that means public and private networks alike.

#3 "Juice jacking" or the dangers of free USB charging for phones

Takeaway: This attack has been proven across phone models, but there is no confirmed data suggesting its use, and user mitigation is low cost, so it is usually safe to use a free USB charger in a pinch.

While there are times you may want to avoid USB charging stations, like leaving your phone unattended to be stolen or at a security conference where "demonstrations" of these attacks are more likely, there is no confirmed data supporting the amplification that "juice jacking" gets.

For those concerned about this risk, mitigation is low cost for both the employer and employee:

  1. Use electric-outlet-to-USB charging adapters and small mobile battery packs that have become standard carry-on, especially for business travelers.
  2. Select "charge only" if the phone asks whether you want to "share data" or "trust this computer" or similar when plugging into USB.
  3. If a user's risk is assessed as significantly higher, consider investing in special chargers and cables that block or do not carry data.

The greater risk for free USB charging stations is the device being left unattended and someone walking off with it. Again, business's investment in device management and hygiene enforcement are typically reasonable mitigations.

Why is increasing awareness of these topics bad? Isn't more awareness always good?

Security typically receives little-to-no positive attention from coworkers and corporate mandated training does not spark excitement. These precious moments and first impressions are some of the most expensive resources security teams have.

Best case, any time spent on material that is not critical, not relevant, inaccurate, or unrealistic is a waste. Worst case, security teams lose their audience and will not be given attention next time no matter how critical their message is.

The macro question is why myths and misconceptions like these persist. Part of the problem is human, as mentioned at the beginning of the article.

The other part is structural when misconceptions like these are written into compliance frameworks and business agreements. Such prescriptions rarely age well, especially when written with specificity that is not updated in step with technology. This leaves security programs implementing outdated or mythical requirements which are picked up by their teams and carried onto their next employer. This infected knowledge is worse than malware.