Would you like some data theft with your coffee?
Last time, we explored auto-updates and why your people aren’t getting around to enabling them. This week’s topic is one that’s just as easily overlooked.
It goes like this. Your new marketing guy, Dave, is waiting for a train connection when he spots a coffee shop. He orders a drink and a slice of lemon cake, and figures he could use the time to dot some i’s and cross some t’s.
Then he remembers why he needs a new laptop bag: the zipper on this one is terrible. He could get one in the store across the street, but needs to check his account balance first. So he connects to the free Wi-Fi and logs into his online bank.
Cyber criminals love public Wi-Fi networks
Why? They love data theft, of course. It brings them identities, card details, and login credentials. No matter your industry, or how much standard security awareness training you assign, we’d bet anything that your people are sharing more than they think.
Public Wi-Fi networks are perilous, and always have been. But you already knew that. It’s just that now, with so many of us working remotely, it’s easy pickings for criminals.
That’s where a virtual private network (VPN) comes in.
Why does everyone need a VPN?
Okay, it’s pretty straightforward. VPNs basically scramble all the information that passes through a network.
People tend to switch to private browsing mode and assume that’s good enough—but it’s not. Switching to private browsing just stops whoever shares the device from seeing someone else’s browsing history. It doesn’t involve encryption, and it doesn’t protect users from cyberattacks.
How do VPNs affect people’s security behaviors?
Revealing evidence
A 2019 study posed the question of whether humans behave differently when they think their network’s security is weak. It compared how people behaved on a public network when they were shown the terms and conditions (T&Cs) before getting online, versus seeing a VPN symbol, which indicated encryption.
We all know how easy it is to skip those T&Cs and privacy statements, and it seems many people get a false sense of privacy from them, even when they don’t actually read them.
The study found that people disclosed less information when T&Cs popped up at the start of a session—no doubt because it reminds people of the risks of sharing a network with others. The presence of a VPN symbol, on the other hand, encouraged disclosure of more personal information and seemed to give people a sense of being protected.
Getting personal
The researchers also found that how careful people were on public networks seemed to be linked to a person’s experience of how risky public places were. So, people’s knowledge and beliefs of various locations dictate how much they reveal in certain locations.
Some users lacked an understanding of what the VPN symbol really meant, and more than half of the participants didn’t notice the symbol at all. Researchers suggested that the human brain dedicated limited mental resources towards processing privacy information—focusing instead on the task at hand.
The conclusion was this: humans need better design cues and more clarity in communications related to online privacy. This, they figured, could combat misperceptions of VPN use and help people understand its value.
What does this tell us?
It tells you what we at CybSafe have been saying for a while now: security awareness alone isn’t enough. Knowing the risks—and the best practices—isn’t enough to protect your organization. To shrink human risk in your organization, you need to influence security behaviors.
A vital part of our arsenal is our database of security behaviors, SebDB. It maps security behaviors to risk-related outcomes. Once you identify the behaviors linked to your risks, you can target them and foster real change.
With more people on the go while working, banking, and generally getting stuff done—and with cyberattacks getting more sophisticated all the time—VPN is an easy way to increase privacy. The trick is making VPN use a standard.
You can read more about VPN use and the risks it mitigates on SebDB.
