This has been a difficult year for cybersecurity defenders, but 2024 may wind up being remembered more for its unforced errors, the mistakes that vendors and others made that resulted in incidents and headlines they’d rather forget.
To make sure they don’t get a chance to forget – jk, we’re just trying to end a tough year on a light note – here are some of the, uh, less forgettable cybersecurity moments of 2024.
So here are the five dumbest things in cybersecurity this year (six actually – one’s a tie), which also serves as a nice guide for what not to do if you’re a hacker or security pro.
#5: Taunting the Wrong People
Threats and bravado among hackers are as common as cyberattacks, but could there be anything dumber than threatening someone whose career has been built on unmasking cybercriminals?
If you don’t know Allison Nixon, you should get to know her work. Just don’t taunt her. Unless you want to be next – her stock line when announcing an arrest.
Allison also dubbed our recurring “Dumbest Thing in Security” feature “The Darwin awards of cybersecurity,” a phrase we’ll gladly borrow starting right now.
#4: Excessive Celebration
American football referees penalize teams for “excessive celebrations,” or over-the-top displays after a touchdown that could be viewed as unsportsmanlike behavior.
There are also excessive celebration penalties in cybersecurity, only those penalties tend to be much worse than a 15-yard penalty.
Cybercriminals have also been known to enjoy a big score a little too much, only in those cases the celebrations tend to raise suspicions among law enforcement, tax collectors and online sleuths.
Two in particular stand out this year: The dude who spent $110,000 in cash on a Corvette despite having no discernible income, and the hackers who dropped as much as $500,000 a night at clubs, including lavish gifts for women that left a nice social media trail.
So we’ll call #4 on this list a tie.
#3: The Phishing Test that Shouldn’t Have Been
Panicking users into clicking may be a goal of phishing tests, but one objective shouldn’t be making those users fear for their lives. Unfortunately, one university did just that, in the process creating an Ebola scare on campus. On a Sunday morning, no less, when correcting that misinformation couldn’t have been easy.
#2: Microsoft Recall Rollout
Microsoft’s initial launch of its Recall screenshot recording feature – with little in the way of security or privacy controls – was met with an outcry that soon led to a delay for further testing and development. Recent reports suggest that Recall’s data and privacy issues persist.
At the time of the botched Recall rollout in June, independent security researcher Kevin Beaumont called it “the dumbest cybersecurity move in a decade.”
That distinction didn’t last long.
#1: The CrowdStrike Outage
Microsoft’s Recall fiasco might have won in any other year, but CrowdStrike won with a “hold my beer” moment less than two months later.
The optics of a company that’s paid to prevent cyber incidents causing what was perhaps the biggest cyber incident ever has had the expected effect on sales, lowering them for at least a couple of quarters, if not permanently damaging the brand.
On the plus side, Microsoft is looking at changes to make Windows more resilient after the incident, including “additional security capabilities outside of kernel mode.”
CrowdStrike, for bricking 8.5 million Windows machines and bringing global commerce to a screeching halt, you win The Cyber Express’ first-ever “Own Goal” award. Congrats, or whatever.
