As human beings, due to our evolutionary background, we struggle to perceive the dangers of the digital world. We have always been accustomed to assessing risk based on our physical environment, evaluating the context (location, people, etc.). For example, walking through a dark, deserted alley at night, we would likely feel a sense of heightened alertness combined with anxiety. These emotions are essential in triggering a flight response in case of a threat.

This sense of vigilance is generally absent when using computers and smartphones. Often, this is because we use such devices in safe locations, such as our homes, offices, or crowded waiting rooms. No one would typically use a social network in a potentially dangerous situation if the danger were perceived as such.

However, we fail to fully grasp that if the Internet connects us to the world, the world is also connected to us, with all its consequences. This results in a misperception of danger when using digital tools.

Personal Digital Protection

We are used to thinking that certain individuals (politicians, industrial leaders) require physical protection through armed guards and armored vehicles. However, we rarely consider the necessity of protecting these individuals from a digital perspective. This is not merely a matter of understanding a specific technology but rather adopting a security-oriented mindset.

Consider two well-known cases: Boris Johnson (former British Prime Minister) and Ank Bijleveld (former Dutch Minister of Defense). Both inadvertently exposed access credentials to confidential meetings. Many colleagues commented harshly on these incidents, but the problem is more complex than it seems: we need to educate people on understanding a world that, until recently, posed no significant threats. We must build awareness to mitigate potential damage. I say “mitigate” because damage has already occurred, and, even if we start today, many more incidents will happen before we reach a sufficient number of informed individuals capable of minimizing these risks.

We must focus on:

• C-Level executives, politicians, and key personnel in national and corporate environments who are potential targets for attacks against critical infrastructure.
• Adults, both as individuals and employees, who are susceptible to digital attacks, scams, and phishing, potentially becoming entry points for corporate breaches.
• Children and teenagers, who are often given technological tools without adequate education on digital threats and self-protection.

A Case Study

Several months ago, I came across a job listing from an international company (which will remain anonymous) looking for a CISO. The position was interesting, and before considering it seriously, I wanted to assess the company’s security awareness. I conducted an OSINT (Open Source Intelligence) analysis to identify potential vulnerabilities.

For those unfamiliar with OSINT, it refers to the practice of gathering publicly available data. It is comparable to research conducted in a public library.

No hacking or intrusion was performed, yet due to the careless handling of information, I made some surprising discoveries. Specifically, I found personal details of the CEO, including their private email, personal phone number, and home address.

These details were accessible via the company’s website, embedded in corporate documents from previous years, likely submitted for certification purposes and never removed. Search engines then indexed this information, making it publicly searchable, just like a library catalog.

Threat Modeling

The threat modeling activity involves hypothesizing the threats to which I am exposed or expose myself by performing or not performing a specific action. For example, if I provide my personal mobile phone number to someone who asks for it during a conference, I am aware that this number can potentially be disseminated without limitation. As a result, I might, for instance, receive WhatsApp messages from unknown individuals and will need to assess any interactions with this awareness.

In the scenario described above, making one’s private contact details public exposes the individual to both digital attacks (via email and phone number) and physical attacks (via home address), potentially opening the door to stalkers. Moreover, since the individual holds a highly significant role within the company, they could become the ideal target for accessing sensitive corporate information, such as bank accounts, commercial data, patents, and more.

Conclusion

While this article may seem alarmist, denying reality does not make it disappear. The issue is real and widespread across all sectors (corporate, personal, and youth). We must first acknowledge that we all face digital security challenges and learn how to manage them effectively.

The tools exist; we need to learn how to use them correctly. The best way to do so is by applying time-tested principles: we must train ourselves to recognize and mitigate digital threats, just as we did with traditional security threats before the Internet became widely accessible.

Parents of today’s middle-aged adults often advised against talking to strangers. We need to translate that mindset into the digital world, where we are all cons

References

• The UK Cabinet is meeting on Zoom… here’s the meeting ID
• Dutch reporter gatecrashes EU defense ministers’ videoconference