Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 PM
Dug Song
Dug Song
Connect Directly
E-Mail vvv

What Flu Season Can Teach Us About Fighting Cyberattacks

Cybersecurity doesn't have to be an arms race towards complexity if we put people front and center of the solution.

Every winter there is an outbreak of flu. The virus evolves rapidly and mutates. Annually the flu causes three to five million cases of severe illness and the death toll can reach half a million people. Serious pandemics like the Asian Flu, Hong Kong Flu, and Spanish Flu each claimed more than a million lives. In 2009, the Swine Flu pandemic outbreak began in Veracruz, Mexico. Swine Flu infected an estimated 10 million to 200 million people. But the outbreak was controlled and the fatality rate of 18,500 (0.03%) was far less than experts feared at first.

Despite the dramatic toll that influenza takes, it has been well controlled by a few basic best practices. Good health and hygiene practices including frequent hand washing, covering coughs and sneezes, and avoiding close contact with sick people to reduce the transmission of the flu virus. According to the Centers for Disease Control, hand washing is the single most important thing we can do to keep from getting sick and spreading illness to others. Vaccination has also helped reduce the risk of getting the flu by up to 90%.

While cybersecurity breaches don’t kill people, the costs can be very high. But unlike public health emergencies, breach responses tend to be isolated, uncoordinated, and unfortunately not very effective; our industry regularly overlooks effective, common-sense approaches and fundamental preventative security controls. For example, the U.S. Inspector General’s Office warned the Office of Personnel Management the year before its massive breach to implement elementary preventive measures. The OPM failed to heed those warnings and got hacked.

Promoting best security practices is a lot like promoting healthy hygiene. The more people we can recruit to adopt basic, effective security practices, the safer we will all be. There's no reason we can't combat malware as effectively as we respond to biological viruses.

We have to change our ways.

The estimated annual cost of influenza in the U.S. ranges up to $87 billion, according to the National Institutes of Health. Cybercriminals last year stole six times more from the global economy than the U.S. spent fighting the flu. McAfee estimates annual global losses to cybercrime approached half a billion dollars in 2014 (0.69% of U.S. GDP) with more than 200,000 jobs lost in the United States. In the battle against cybercrime, we continue to fall behind.

Our fundamental challenge is asymmetry. As every hacker knows, any system or company is only as secure as its weakest link. Organizations need to protect every device, server, application, system, credential, and user. But a hacker only needs to steal just one user ID and password to get in. The way to improve cybersecurity is to take this traditional weakness and turn it against the enemy by drafting users into the solution. Instead of being a point of vulnerability, users become our front line defense by focusing on the fundamentals of good security hygiene -- the digital equivalent of washing your hands or covering your mouth when you cough. If we all incorporated these four simple practices into our daily lives, we’d shut down most cyberattacks:

  • Update the devices and software you use frequently. Vendors constantly patch bugs in their products. If you don't have a policy to run the latest versions of software releases on your servers, laptops, and smartphones, you're leaving known vulnerabilities open to hackers.
  • The most popular password in the world remains 123456. Stop trying to memorize lengthy passwords. Use a password manager like LastPass that automates the generation of complex passwords.
  • Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
  • Use common sense with your email. Never open email attachments or click on links from a sender you don’t know and trust

Share these suggestions with your work colleagues, friends, and family. Cybersecurity doesn't have to be an arms race towards complexity. Like fighting the spread of a deadly flu, it’s much better if we put people front and center as part of the solution.

Prior to co-founding Duo Security where he serves as CEO, Dug Song spent seven years as founding chief security architect at Arbor Networks, developers of network software that protects 80 percent of the world's Internet service providers. Before Arbor, Song built the first ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/9/2015 | 1:15:21 PM
Good Practices
These are good practices that need to be followed much more than they currently are especially when it comes to password complexity. However, this is only small faction of things to consider when fighting cyber attacks. I'm completely for Occam's Razor but sometimes it is difficult to simplify such a granular topic.
User Rank: Apprentice
11/9/2015 | 10:15:57 AM
Login and passwords for websites you will never visit again.
In my opinion too many websites want the user to have an account.   Yes they can resell the information the gather and have a revenue stream.   Im my case if the site is one that I do not think I will every visit gain then I do one of two thrings.  1.  Use fictious information ([email protected])  .   2.  Use somestandard login and passwords so I can remember it.    The latter practice is what causes problems.   If you only had a half dozen accounts then remembering would not be a chose but with literally hundres of accounts then the human mind demands simplification. 


I want websites to allow me to do business withotu an account,   I am willing enter my name, address and phonenumber each time in trade for the mercahnt not storing anything.

Finanlly as far a two factor authenification it may be technically secure but I do not need another device or application that I need to protect.    If I lose my cell phone that I would have to spend days reconstructing accounts.   That is too high a price.   The cheaper price is not having accounts,




COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.