Originally published on the TripWire blog.
Sometimes you find inspiration in unlikely places.
Never did I think, for example, that I would be able to connect my day job as a writer in the security awareness field with a burgeoning hobby of mine: birdwatching.
But the more I “birded,” the more what I learned about birdwatching—both in the field and from birdwatching blogs—began to filter into my day job. Here are four bits of advice gleaned from birding that have helped me to better understand the wide world of cybersecurity awareness.
Be Ready for Anything
As a birdwatcher, sometimes you just have to drop everything and go get your binoculars. I had this experience while typing away at work when I saw a flash of color in a tree outside my second story office window. Two black, grey, and yellow birds were flitting from branch to branch. They moved so quickly I had trouble identifying them and thought they might be a species I had not seen before. I was thrilled at the thought I might add a new species to my “life list,” which birders use to keep track of all the species they’ve seen throughout their lives.
I dashed outside and soon identified them as yellow-rumped warblers, a beautifully colored type of songbird. Not my first sighting, but still wonderful to see on a rainy, grey day.
There are new “species” of malware and cybercrime appearing all the time. Take ransomware for example. Just a few years ago, this particular type of malware was relatively unknown. Today, it’s all too common.
So how do you get your employees geared up to identify these newly emerging threats in your environment? It starts with security awareness training that is geared to address emerging threats, but also designed to encourage employees to be ready to identify all kinds of attacks—even the ones they’ve never seen before. When employees are trained to be ready for anything, they’ll do better at protecting information—and maybe at spotting new birds.
Things Aren’t Always as They Seem
Depending on what part of the world you live in, red-tailed hawks are the bird of prey you’re most likely to spot. They make their living scanning fields, highway medians, anywhere with tall grass looking for rodents and other small animals to eat. In the Pacific Northwest of the U.S. (where I live), red-tails are often seen perched on street lights and road signs along major highways looking for their next meal.
Their high-pitched keeeee-arr call is iconic, though usually incorrectly associated with the bald eagle. As a friend once told me, only two birds in the world make that sound: red-tailed hawks, and a bird called a Steller’s jay pretending to be a red-tailed hawk. And Steller’s jays are pretty good at it, too. As a birdwatcher, keeping a keen ear for imitative calls like this is an important skill to nurture.
In the cybersecurity world, this sort of imitation and misdirection is one of the most common ways for criminals to gain access to sensitive data. The specters of phishing emails and other social engineering attacks loom large and shows no signs of letting up. Analysts from the Anti-Phishing Working Group recorded more than 1.2 million phishing attacks in all of 2016; a 56% from the year before.
That’s why a sound security awareness initiative should include both simulated phishing attacks and associated training for those who take the bait. Combining anti-phishing training with simulated phishing attacks lets your employees see first-hand the ingenious ways hackers have devised to get into your network, and how to avoid them.
Be Aware of Your Environment
One of the best tactics I’ve learned for spotting birds in the natural habitat is literally nothing. That is, standing still and remaining as quiet as you can while the world moves around you. This benefits the birdwatcher in two ways.
One: it makes birds that might have been disturbed into silence by the approaching birder think the danger has passed. With this feeling of safety, the birds feel more comfortable getting on with their normal routine—calling, feeding, flitting from tree to tree. Two: it allows the birder to take greater notice of the surrounding environment. Standing still makes the movement of birds around you stand out more, even the smallest tail flick or head bob.
This sort of situational awareness is also vital in the cybersecurity field. Many a potential risky situation can be mitigated simply by paying more notice to your surroundings. Is the Wi-Fi provided by that café password protected? Can that person asking you to hold the door show proof she works in your office? Promotion of and education on this sort of heightened attention should be baked into every security awareness program.
Know What to Look (and Listen) For
Scratching along the ground, often near brush and hedgerows, you’re likely to find a striking orange, black, and white bird called a spotted towhee. Towhees have a distinctive, cat-like meee-aach call that stands out once you know what to listen for.
The challenge is knowing what you’re hearing amongst a chorus of similar calls. Whenever I heard that call in the field during my early birding days, I always had to refresh my memory using a bird call app on my phone. Steller’s jay? No. Dark-eyed junco? No. The key for me was noting a few key signs identifying the call as a towhee’s: not as raspy as a Steller’s jay, not nearly as high-pitched as a junco.
Telltale signs of a computer infected with malware can also be subtle, but should not go without notice. Is your or a coworker’s machine suddenly running much slower than before? Has the anti-virus software mysteriously turned off? Though seemingly innocuous, signs like these are important to report to the appropriate IT staff member as soon as possible. Though I had the luxury of time and repetition to cement the call of a spotted towhee in my mind, those tasked with protecting sensitive data do not. Malware can act in seconds to infiltrate a network and give cybercriminals access to this data. Employees need to know and internalize these potential signs of a malware infection.
As with any learning endeavor, the goal of a security awareness initiative is to change employee behavior for the better. Here another parallel with birdwatching reveals itself.
The more I learn about where specific species live, what they sound like, and how they behave, the better informed I become as a birder. This, in turns, changes my behavior. It makes me seek out different habitats to add a variety of species to my life list. It makes me scan all parts of a tree for birds, as some prefer the tops while others prefer to hide amongst the branches. Most significant of all, at least for me, it forces me to stop and take notice more in my everyday life.
This last behavior change should inform most, if not all, of what goes into a comprehensive security awareness program. You should strive for employees who have developed an array of cybersecurity skills that have become like habit. Whether it’s noticing the birds that call your backyard home, or identifying the latest kind of phishing email, we could all do with a little more everyday awareness.