What getting hacked taught me about cyber empathy

It's time to dig out your tiny violins and sharpen your bows: I have a confession to make. Earlier this year, I was hacked.

If you're among the ten million or so people who take part in the free-to-play Fantasy Premier League (FPL), then you probably know where I'm going with this. In April, a cyber intruder – probably complete with the staple oversized hoodie and balaclava – seized my password and broke into my FPL account, dismantling my crack team and giddily selling off my most prized assets like a turbo-charged Margaret Thatcher.

No, it wasn't a serious breach, and they compromised nothing important but, oh man, was it devastating. All that planning, progress, spreadsheets, hours wasted; all to trash my chances of a surefire first-place finish.

What happened, in retrospect, wasn't surprising – although no less embarrassing, given how much time I spent thinking about cyber security best practice. Which brings us to a game I like to call: ‘How many password management gaffes can you spot in a single paragraph?’.

My password was a decade-old string I'd compiled in my teenage naivety, that I hadn’t gotten round to changing, and that I later learned was unearthed in a historic data breach. Nevertheless, this wasn't a case of credential stuffing; rather the greasy cyber chump obtaining my details by breaking into a third-party FPL service – which then required you to use your same credentials you'd use to log into the game I know). To cap it all off, two-factor authentication (2FA) wasn’t yet available, and although I use a password manager, at the time I was only managing passwords I’d created myself, as opposed to generating new, super-secure ones. Yikes.

My next step was to warn others – perhaps naively expecting advice (and a morsel of sympathy) from online forums. The reaction was the exact opposite, and I was bombarded with lols, loaded questions, and comments pinning the blame firmly on my doorstep. There is an awful lot I could’ve done to prevent the hack, but when some cyber punk trades in my Salah for Solly March and İlkay Gündoğan for Anthony Gordon, I don’t need it rubbing in.

You can put those violins away now.

The incident, although relatively minor, got me thinking about how cyber security discourse has evolved recently – indeed drastically – in the time since I joined IT Pro nearly five years ago. Rapidly changing threats have rendered an already complex landscape much harder to keep up with. After all, “it’s a matter of when – not if” is among the most commonly used phrases that come up in Cyber Security Conference Bingo. Sure, there are any number of steps that can be taken to protect your organisation from the many and various threats, from phishing to ransomware. Doing everything by the book, though, won’t guarantee protection – and one simple lapse in concentration, like falling victim to an incredibly convincing social engineering scam or forgetting to change a compromised password, can open the door to total devastation.

Much of what we think of as ‘best practice’, too, is up for debate, with conventional wisdom frequently challenged. The National Institute of Standards and Technology (NIST) this year released guidelines advising the inverse of what many consider best practice, such as ditching regular password resets, and requirements for users to include arbitrary special characters when compiling strings. Academic research, meanwhile, shows workplace cyber security training might not be working as intended. Phishing simulations, in which IT admins send fake phishing emails to bait employees into clicking links or offering credentials, is counterintuitive, according to research by ETH Zurich. Similarly, security awareness training, like those involving e-learning materials, lacks effectiveness, according to a study by Usenix.

I’m not making a point against cyber security training; rather that it’s much harder to prepare for the worst case scenario than it might initially seem on paper. Secondly, the landscape is such that – jokes aside – it is a matter of when, not if, you’re hit by the same faceless scapegrace that tanked my FPL season. While comparing the challenges facing a large business to my own pathetic woes is a bit of a stretch, we’re all still learning how to cope with an ever-growing onslaught of e-goons threatening to crack open our secrets. What matters is how we respond when disaster strikes, which, in my case, involved optimising my password manager, reconfiguring all username and password combinations and enabling MFA where possible. In light of the way things are moving in cyber security, perhaps we need a little less “I told you so” and “what did you expect?”, and a little more “sit down, I’ll make you a cuppa” when things go so badly wrong.