We all like routines that, once we have them in place, don’t require much further thought. This works well for things like brushing your teeth, or always locking your car.
You lock your car because you know that an unlocked car is much easier to steal. It’s easy to lock and unlock your car so you do it as part of a basic routine.
On the internet security is a lot trickier. First, most of us don’t really understand computer systems, so we’re vulnerable to hackers who understand the system far better than us, and are able to exploit it. Still, most computer hacks work because of something called “social engineering.” In other words, hackers use the same psychological ploys that magicians use.
The hacks work because they’re designed to exploit our minds’ tendency to follow certain predictable patterns. For example, most viruses don’t travel down the internet and jump into your computer uninvited. Somehow the user has to be tricked into clicking on something that gives the virus permission to invade the user’s computer.
The trick that’s used is always based on basic human psychology, which is how all magic tricks work.
So, the idea that people can avoid security problems on the internet by adopting a routine or slavishly following some “security expert” edict is silly. The fact that you are a human and you follow predictable routines is what makes you most vulnerable.
Security experts make money by touting their expertise and then enticing you to hire them to thwart security problems. Do they know every single security problem that has been devised? Probably not. So they prescribe “best practices” to deal with the most common threats.
In theory, this is a good idea. And in practice it works most of the time. For instance, a security guru will say “install virus software and update it regularly.” That’s great advice. But that won’t prevent the ploy that depends on you clicking on an interesting attachment from a girl you are interested in.
Did that girl really send you the email that says “hey check out this funny picture of you”? Maybe not. Her computer may have been hacked and a virus sent out emails to all the people in her address book, and you’re just one of a hundred people who got the same email.
Many of those people will not click the link, but a few will. Because you are interested in that girl you may be more likely to click on it. And once you click, odds are your computer will get a virus.
Instead of focusing on technology, let’s focus on psychology. Humans like routines so that they can do a lot of common tasks without having to think about them. So they’re vulnerable to two things: (1) hackers who are able to catch them by showing them something interesting at a moment when they’re doing a repetitive task (like reading and sending email); and (2) security experts who promise that they can avoid trouble by simply adopting a new “system” that will “automatically avoid” certain major security problems.
The problem with falling prey to the first one is that your computer gets hacked. The second one will lead you to buy something that isn’t really going to protect you as much as you hope.
The bottom line is this: most security problems require you to pay attention to things you don’t like to pay attention to. And you can’t automate a process to substitute in for paying attention. The minute you start following a routine (especially one that lots of other people are following too) you’re vulnerable.
Security isn’t something you can put on autopilot, not even if the autopilot is set up by a “security expert.”