Internet Security Report for Q4 2019

Many of the fears that occupy peoples’ attention, and drive big headlines in the media, are indeed scary and tragic. That said, they are also so statistically unlikely to happen that they shouldn’t receive such a disproportionate amount of attention in comparison to threats that are more mundane, don’t drive click-bait headlines, but have a much greater statistical chance of happening to us. For example, a common analogy is that some people are afraid of getting into an airline crash, but are far more likely to have a fatal car accident while driving to the airport. Or, while people are rightly afraid of contracting Ebola, many don’t realize that the common flu kills 100 to 296 times more people every year. We worry about potential terrorist attacks, but don’t pay attention to the staggering rates of heart disease that will likely kill around 647,000 US citizens this year. While evolution equipped us to efficiently identify immediate threats, it doesn’t seem to help us properly identify and prioritize the silent killers that are far more likely to affect most of us over time.

This idea recently came to mind when I was discussing the historical Tylenol Terrorist with a coworker. If you don’t remember, in Chicago during 1982 some degenerate murderer poisoned bottles of Tylenol with potassium cyanide, killing seven people including a 12-year-old girl. That tragic incident created a national panic, and dramatically changed our pharmaceutical and food packaging industry, forcing new safety standards. We likely have it to thank for tamper-proof packaging today.

My coworkers’ thoughts on the Tylenol incident revolved around how the horrible threat led the industry to positively find new security controls to keep us safe – a silver lining in what was an otherwise horrific situation. However, I couldn’t help but ask, “Was that panic justified?” I think society was panicking about the wrong thing. While those seven deaths were tragic, Tylenol actually kills 64 times more people every year all on its own. According to research, acetaminophen (the active ingredient in Tylenol) causes around 50 thousand emergency room visits, 25 thousand hospitalizations, and 450 deaths (100 unintentional) every year; all from overdose. Even if you count all the deaths from copycat poisoners, Tylenol overdose is far riskier to the average person than some killer tampering with our products. Yet we seem to fear the killer more than the common overdose. This is yet another of many examples on how humans’ emotional fears don’t always statistically match the biggest threats we face.

This mistake happens in information security as well.Researchers like us often focus on the newest, technically sophisticated and unusual cyber threats, likely because they are cool and a bit scary in their capabilities. Yet the truth is, run-of-the-mill phishing attacks are much more likely to cause real-world breaches than any rare or fancy APT attack. You’d do far better for your organization to defend against the statistically relevant threats than any complex yet rare ones.