With branded super vulnerabilities like HeartBleed and Shellshock grabbing headlines and retweets, and the latest breach victims illustrated so wonderfully for us by DataBreachToday, security awareness has come a long way since yesteryear.
However, even with all of the media attention, National CyberSecurity Awareness Month, security awareness trainings, penetration testing, ranting and raving about data breach’s costing an average of $3.5Million per breach (according to the 2014 Ponemon Institute Study), users from system admins to CEOs still fall victim to social engineered cyber attacks every day.
And, as we all know, in our ADHD society, breaking through to users and changing behavior can seem like an insurmountable task for IT security professionals.
But alas, we do have the power of stories to help.
As I work to evangelize the benefits of collaboration and peer advisory at Wisegate, I get to speak with really smart and successful IT and Security leaders every day. One of my favorite questions to ask these senior IT security professionals I speak with is about the stories they use to get business professionals (non-security folks like me) to open their eyes to the risks and threats that exist today.
One of my favorite user awareness stories was relayed to me by a Director of Security, about an executive friend of his who was a victim of a very scary Spear Phishing or advanced persistent threat (APT) malware attack.
Here is his story.
As a busy executive of a large enterprise, Joe (name changed to protect the victim) was always putting in long hours and had a heavy travel schedule. The nature of his career, unfortunately, took him away from spending time with his family, which obviously was a hard trade off to make.
Joe’s daughter played soccer. She had many games, most of which, he unfortunately again, had to miss due to his obligations at work. Fortunately, Joe’s daughter didn’t see too much play time in games typically, so he was usually excused with a kiss on the forehead when he returned home, and a “Keep up your practicing and you’ll do better next time, Sweetheart.”
Well, one day Joe was working late and had to miss another game. This game was different, though. On this game night, Joe’s daughter not only played, but ended up scoring the WINNING GOAL!
The next day, feeling terrible that he missed the game, Joe gets an email that goes something like this (DISCLAIMER: This is not the actual email here-just created for illustration purposes)…
——– Original Message ——–
Subject: Winning Goal
From: “John” <john@gmail.com>
Date: Apr 29, 2014 4:55 PM
To: JoeExecutive@Fortune100co.com
Attachment: Emilys-Winning-shot.zip
Hi Joe,
Sorry you weren’t able to see Emily’s big score last night. Luckily I got a great shot. See attached…
Your friend,
John
—————————————————–
If you guessed that this harmless looking email from a supposedly trusted source contained malware that led to a security breach… you guessed right. Scary, huh?
If you are security professional and have a good story to tell that can help others break through to busy executives that are prime targets for advanced persistent threats, I welcome you to comment below and share your stories.
This way we have a powerful collection to share and help people stop, think and become more aware.
If you are an IT Security professional who is looking for a place to collaborate with trusted peers online, away from public eyes, in order to solve problems and leverage the expertise of others, take a look at Wisegate.