I’ve had better Sundays.
It was Easter, April 16, 2017. I had just finished a homemade dinner with my husband. It was time to chill and finally enjoy a few hours of downtime, compliments of the latest binge-worthy craze on Netflix. Little did I know, I was about to star in my own real-life drama that was much more cringe-worthy instead.
My cell lit up and I looked down at the display. It was a text from Chatelle, our chief human resources officer (CHRO). Chatelle and I were close. We had just teamed up to help McAfee’s spinout from Intel as one of the world’s largest independent cybersecurity companies 12 days prior. Seeing a text from her on Easter wasn’t unusual, assuming it was the type of well-wishing that happens between friends on a holiday. This was not that type of text.
I immediately felt my blood pressure surge as I opened McAfee’s company page on a very prominent social media platform, the name of which I have redacted from this true story. I was horrified.
Someone had deliberately defaced the social profile of our newly minted, 12-day-old company with the most obscene and offensive language directed at nearly every walk of life. This would be bad for any company. But let me try to express how desperately bad this was for us.
The offensive epithets were in stark contradiction to everything our company represented. We had just relaunched our brand with a new tagline, “Together is power,” reflecting our belief that it takes all kinds to protect our world from cyber threats. We had just unveiled new values to all employees upon our company’s launch, one of which espoused inclusive candor and transparency. And we were a leader in cybersecurity. How would customers feel about our ability to safeguard their most precious digital assets if we couldn’t even protect our own company’s profile on one of the largest social media platforms? And, to top it off, my team—the marketing organization—was responsible for managing our company profile across all social channels, including the debased one staring me in the face.
I jumped into action. I had to get to the leader of our digital team to figure out what was going on. I reached her immediately and didn’t even have to explain that the call wasn’t to wish her a Happy Easter.
I started to think the worst. A hacked social media profile was one thing. What if this was a coordinated attack against McAfee with a much bigger prize at stake, with hackers diverting our attention to this fire drill while they seeped in through our company’s systems?
She immediately reassured me that our chief information security officer (CISO) was already on the case, confirming our systems were good. Relief washed over me for a moment—until I realized I needed to make another call. Our CEO needed to know what was going on. And I preferred he hear the news from me. I was about to ruin his Easter Sunday. He picked up the phone almost instantly:
I explained to him just what had happened. Our social media manager, Gavin, was the first to discover the attack. Gavin had been at home, doing what social media geeks do on holidays—he was online. Around 5 p.m. he saw a status update on the social media platform with a bunch of random letters in it. He figured someone on his team had butt-dialed the update. Gavin deleted the random post.
He then pinged his team to see who might have accidentally created that post. No one knew anything about it. Soon, another meaningless post showed up. This was now not random.
Gavin logged into the social media platform and went to the account settings area. All the names were familiar of the people who had administrative privileges for the account. Even so, to be on the safe side, Gavin started to delete all other admins.
As he was doing that, his page refreshed, and Gavin was locked out.
There was now no doubt that this was malicious. In a moment, Gavin realized that his deleting the weird posts had alerted the hacker that McAfee was aware of the defacement. It was like the classic race in tech crime dramas with fingers flying on keyboards, spinning icons as processes complete and messages flashing as only Hollywood can bring to the screen. Gavin and our hacker were racing online to do the same thing. Even without the pulsing soundtrack, the tension was every bit as fraught with drama. Gavin said, “I was trying to delete all the other admins, and the hacker was doing the same thing. He beat me.”
Before I hung up with our CEO, I had one more piece of disappointing news to share.
It’s common in the hacker community to deface sites with obscene drawings to indicate that someone got “pwned,” hacker slang for being defeated in a humiliating way—for being “owned.” Now that the hacker knew we were locked out and he was in control for the time being, he added an obscene image to replace our new company logo, just for good measure.
My team frantically engaged the social media platform company to remediate the issue. But . . . things don’t happen quickly on holidays. And since this was now later in the evening, we were relegated to working with the company’s Asia-Pacific (APAC) group, making it seem as if time itself had to physically cross the ocean separating us and the support team. Minutes slowed to a crawl.
We waited for what seemed like an eternity. Because it was not our servers that were hacked, there was no big team from McAfee I could put on the third-party problem to fix it. We could only check in with the company’s support team every few minutes, only to be told they were “on it.”
After about 30 minutes, we received news that the social media company had locked out all admins from our company page, and only they had access now. That was the good news—at least no more damage would be done.
The bad news? They did not have a means to simply roll back the page to what was there 30 minutes before. Their procedure was to lock the page, so no further changes could be made, and then to follow a validation and analysis procedure: For validation, they wanted to make sure that we were who we said we were, and not a hacker calling up pretending to be McAfee (How ironic!). Then the analysis part kicked in, where they wanted to study the extent of the hack before taking any further action.
But what about the obscene image? It was still up on our corporate page. To make matters worse, the way this social media provider worked was that all employees who had personal pages on this platform and who said they worked for McAfee—their personal pages now sported the obscene image in place of our logo, too!
Including mine.
On the next update I received, the support team said they weren’t yet done with their “procedures.” They said the only way to roll back the page was first to reactivate the account—unlock it—and they were not going to do that until they finished their security review.
Seriously? How was this happening? Nothing could be done about our company page until they were done with their review. We were at their mercy. The most our employees could do was to delete any mention of McAfee on their own personal pages, which some who were aware of the event did.
But that wasn’t sufficient. I continued to ruin Easter Sunday for others as I alerted our executive team of the event. We had ensured our company’s servers were safe, but that didn’t mean McAfee wasn’t under attack through other social channels. And we certainly didn’t know whether our own executive members—and their social profile personas—weren’t the next target.
I took to email and group texts to sound the alarm, instructing our executive team to enable multifactor authentication on their personal profiles immediately on all social networking sites (more on multifactor authentication in a moment).
I followed my own advice and began frantically enabling the security feature on my personal profile pages wherever I could, that is, until I hit a very popular social networking platform where I became stumped. I’m not sure if my body was in the full throes of fight-or-flight (where the body redirects blood flow to major muscle groups to help one flee a threat or stand ready to combat—in other words, not the prefrontal cortex) or if the social media platform could have done a better job of not obscuring the safety capability. It was probably a bit of both. In either case, panic consumed me, and I resorted to a desperate measure: I deleted my personal profile—and all its history—on the social media platform altogether.
An hour stretched to two, then three, then four. I was regularly calling our CEO with the requisite, but annoying, status updates about our increasingly embarrassing vandalized company profile page. Calls that went something like:
Lather, rinse, repeat—every 30 minutes.
It was on one of these calls that our CEO pulled a rabbit out of his hat.
Chris made the connection and pleaded our case. Within 30 minutes of the call, the page was restored to its original state. I don’t know whether Chris’s call mattered, or whether the investigation simply had run its course and was completed. I just knew that the situation was now contained.
On Monday morning, we posted an article on our intranet site, letting every employee know what happened over the weekend. Remember that McAfee value I mentioned about practicing inclusive candor and transparency? We owed it to our employees to explain what happened, especially given their social media pages were defaced over those tense few hours when the heinous image replaced our company logo. Being candid and transparent is difficult when dealing with an uncomfortable topic. But it’s also necessary to truly live the value.
* * *
I tell you this story not just because it’s interesting, and not just so you feel “Hey, better her than me!” I began with this story because it’s a microcosm of what we’re going to be talking about for the rest of the book.
Just so you get your money’s worth from this book—in the very first chapter—I’ll now break down how the hack happened, and what we did afterward. Most importantly I will lay out the steps that you can take tomorrow morning at work to see that this does not happen to you.
When we regained control of the account, we asked the social media company to tell us whose admin account in our dashboard had been responsible for the changes.
Turns out it was an employee with one of our media placement agencies, who was no longer doing work for us—let’s call her Julie. Her credentials were stolen by a teenager connected to a larger cybercrime syndicate. Julie made the mistake so many others make: She didn’t practice good password hygiene. She used the same password to access multiple accounts, including her profile on this social media platform. And, since she was an authorized administrator for McAfee’s corporate page on the same site, her personal credentials gave her access to not only her profile, but ours as well. When one of her accounts was compromised and her credentials traded on the Dark Web, hackers simply tried the password across her other online accounts. That’s when they struck pay dirt in breaking Julie’s administrative access to McAfee’s company profile on the social media platform. The rest was child’s play.
Hindsight is 20/20 and this case was no exception. Vulnerability number one: Julie used the same password for access to her social media account (and our corporate page on the same social media platform as one of our authorized administrators) as she used for other accounts. If she had used unique passwords, then the credentials that bad actors bought on the Dark Web would have been worthless. What’s worse? When alerted to the hack on her personal account, Julie quickly changed her password. But she failed to change it across her other accounts, including the one in this story. That’s on her.
Vulnerability number two: We should have required multifactor authentication for all admins on that social media site. What this means is you can gain access to a system not only if you have the correct password, but you must also be able to enter a one-time code that’s generated and sent to, say, your phone. If you don’t have the code within a few seconds or minutes of being asked for it, you’re not getting in. There are several versions of this type of authentication and I’m simplifying it here, but you get the idea. That’s on us.
Vulnerability number three: We did not do a review frequently enough to see who no longer needed access to our account. Julie helped us a while ago, but we should have removed her from being an admin after her activity had ended. We still could have been hacked while she was actively working with us, but our lack of access hygiene just made it worse. That’s definitely on us.
All of these actions would have vastly reduced the chances of the hack occurring. But let’s say for some crazy reason a hacker with enough motivation, skill, and luck was able to get into our social media account. Let’s look at what could have helped us after a hack was discovered, had we put certain things into place beforehand.
We should have had a procedure where we lock out all admins without letting on that we are aware of the attack. By our deleting the nonsense posts, we alerted the hacker. Then when the hacker saw we were deleting permissions, he acted more quickly than we did.
It was fortunate that Gavin was on the defaced page on Easter Sunday. Otherwise we may not have known as quickly about the defacement. Now we have a tool that uses machine learning to detect unusual images, profanity, slurs, and other anomalous material on social media sites. It immediately alerts several members of our team in the event it detects such unusual activity.
Note: I’m not going to name the tools we use for two reasons: First, tools come and go, and they also tend to have different effectiveness at different times. In other words, when a tool is first launched, it may be highly effective—until hackers figure a way around it. Because I don’t know when you’re reading this book, I don’t want to praise something that I may no longer be using when you’re actually reading these words.
The second reason for not mentioning the tool is McAfee already is a huge bullseye for hackers around the world. By keeping them guessing what exact tools we use, we help to lessen that threat. If you search for some of the descriptions I use for tools, you’ll quickly find current ones you can try.
Back to the story of lessons we learned:
At the time we alerted the social media company of the hack, we did not know their procedures for dealing with it. Mistake. We found out only then that their policy was to freeze the account for many hours, regardless of how defaced our page was. We now ask about these procedures in advance of creating corporate pages on other sites.
We learned the hard way that money talks. Because we were spending a decent amount of money on advertising on this social media site via agencies, we looked like a smaller account to the company than we were; that might have affected response levels. Today, we spend directly with social media platforms to accurately reflect our investment and receive the commensurate service levels we deserve.
And, we learned that third-party companies with which we do business may not have strong security practices. This is especially important to remember for companies that have access to your systems or appear as an extension of your organization. In particular, smaller third-party companies with which you have a relationship may not have formal IT and security teams, let alone practice rigorous cybersecurity hygiene.
Finally, the postmortem of that Easter’s unfortunate events delivered one final punch in the gut. McAfee wasn’t even a deliberate target in the hack. The hacker didn’t realize Julie was an administrator for McAfee when he broke her credentials. He didn’t know (or care) who Julie was. He was on the hunt for passwords. His reward would come only after he determined what the password unlocked—be it a personal banking account, a company’s network, or something else. Once he found one that just so happened to unlock the keys to McAfee’s company page on that social network, he unleashed his rants of abuse on it, offending everyone he could and humiliating us in the process. Even for hackers, sometimes it’s better to be lucky than good.
Have lists of people you can call and people to whom you can escalate. Have them where you and your team can access them anytime. Also, the lists must not only be for people on your team but also for people at the vendors for your website, social media, cloud storage, etc.
It needs to be in someone’s job description to regularly review who has access to an account and clean up the list to remove people who no longer work on those projects.
Use multifactor authentication. For some systems we can automatically detect if one of our users has it turned on, and the system will tell us if a user turns it off, even for a few minutes as she switches to a new computer, for example. With systems over which we have less direct control, like a cloud-based service, we require that users send us screenshots of the multifactor authentication being enabled.
You can imagine that we scrutinize social media outlets now before we put a page up. In addition to the measures I described above, we ask the following:
Certainly, the social media provider can make the case that we didn’t do some obvious things like keeping admins to a minimum by reviewing them often, insisting upon unique, strong passwords, and so forth. But it didn’t help that they had such a rigid policy that even an obvious, egregious hack to a site had to remain in place until “analysis” was complete. And of course, the agency person should have not reused the same password across multiple accounts.
But notice that I titled this chapter “The Time I Ruined Easter.” No, I didn’t hack McAfee’s corporate social page. I didn’t knowingly leave the door open for a bad actor to do the same. And there was nothing I wanted less on that Easter Sunday than to be dealing with a situation that resulted from a comedy and confluence of errors across multiple fronts. All that said, I can only take responsibility for its occurrence. Because, at the end of the day, that corporate social page was under my team’s watch. And we failed to take reasonable measures to uphold our duty in safeguarding it.
Personal responsibility is an uncomfortable thing. Very few of us relish the thought of examining what we could have done better or differently to prevent an unfortunate event. Deflection is a much more human response. Yet, it’s our very tendency to abdicate personal responsibility that remains a key weapon in the hacker community’s arsenal.
For too long, cybersecurity has been “someone else’s” problem. For too many, cybersecurity is an opaque topic undeserving of their time, let alone personal responsibility. This book seeks to change that narrative, even if only by taking a humbling step in acknowledging the responsibility we all share as employees—and ultimately defenders—of our organizations. If our company can’t trust us to take reasonable precautions in protecting its most sacred digital assets, whom can it trust?
Let me step off my soapbox to acknowledge the real problem. It isn’t that employees, generally speaking, don’t want to do the right thing. It’s much more often the case that they simply don’t know how to do it.
Cybersecurity is a team sport with everyone needing to play her or his position for every minute of the game. Tools can be tremendously helpful, but it’s only when people, tools, procedures, regular reviews, and other factors work together that they form an effective defense.
There’s another crucial element to minimizing cyber threats, and that’s honesty. I’m certainly outside my comfort zone starting off a book with my name on it by describing an embarrassing security failure on my watch. Could it have been far worse? Absolutely. Should it never have happened? Absolutely.
And could it have been you, instead of me? Again, absolutely.
By telling you this story, I want to set a tone of honesty that’s also needed in your business when you work to repel the bad guys: you need to develop a culture of security that allows people not only to help each other, but also to be honest with each other when they see unsafe practices. It’s honesty without anger or blame or retribution, and it’s crucial to making the culture work.
The second reason for describing our social media hack is so you can take these lessons and immediately apply them to where you see chinks in your own security armor.
There is no shortage of cybersecurity books available for your consumption from reputable, talented authors with a variety of experiences. You’ll find some from journalists, who have dissected some of the most legendary breaches in history. You’ll find others from luminaries, who speak with authority as being venerable forefathers of the industry. And you’ll find more still from technical experts, who decipher the intricate elements of cybersecurity in significant detail.
But, as I type this, you won’t find many cybersecurity books authored by marketers. And probably fewer still from marketers with just a few years in the industry. So why trust this author with a topic of such gravity?
Think of me as a hybrid between marketing and technology. I’ve spent my career translating technical concepts into everyday language. I’ve studied the intersection of work and technology to understand how corporate culture is shifting.
So if you’re a generally nontechnical person, rest assured that I strive to give you sufficient education to understand the nuances of this thorny subject, without overwhelming you with technical details. If you’re more technical than I am, while I won’t dumb down this topic, I will provide prescriptions that every employee—technical or otherwise—can practice to protect her organization. Finally, if you are one of my cybersecurity brethren, I hope you read and enjoy this book as a glimpse into our world. Then, I want you to pass it along to your non-cybersecurity colleagues to recruit them in our fight.
You may consider yourself someone who doesn’t have much to offer in the realm of cybersecurity. After all, how could employees, managers, executives, and board members who are not within cybersecurity’s corridors really play a meaningful role in a game they may not even understand?
This is where I turn to the world of professional sports for inspiration, as it often reveals many lessons we can all learn about the power of teamwork. While I’m no sports junkie, I do have a soft spot in my heart for American football. That’s because I have fond memories from my earliest years in grade school of sitting on my family room couch, next to my dad, watching his favorite team, the Dallas Cowboys, play.
Like millions of us who tune in to watch our favorite teams, I’m a spectator in the world of professional sports. Watching the game is about as close as the majority of us will ever come to playing it. Spectators hardly influence the outcome of a game. That’s a role left to the far more important athletes and coaches on the field or on the court who, by their talent, tenacity, and teamwork, ultimately determine whether a game is won or lost.
I used to believe that. And then I was introduced to the Seattle Seahawks’ 12th Man. The Seattle Seahawks are a professional U.S. football team. In football, there are 11 active players allowed on the field, per team, for any play. But the Seahawks recognize 12 active teammates—represented by 11 players and the equally important spectator crowd.
I eventually came to realize that Dad and I did not want our Cowboys facing the Seahawks on the latter’s home turf. That’s because the Seahawks’ stadium is not one that favors opponents. Its noise level, created by the 12th Man, has been measured at only a couple of decibels below that of an aircraft carrier flight deck. As it turns out, these spectators have played quite a meaningful role in influencing the outcome of more than a few games. In three seasons, the Seahawks scored 26 wins against two losses on their home field. The 12th Man has twice set the world record for crowd noise and is even to blame for at least one minor earthquake.
Their revered football team knows just how important these “spectators” are. The Seahawks retired the number 12 jersey on December 15, 1984, in honor of their fans. You’ll find a giant flagpole with the number 12 blazoned across it flying proudly in their stadium. When the team took the field for one of their Super Bowl appearances, they were led by someone carrying the 12 flag.
Are the 12s (as the Seahawks fans are called) really that loud? Mostly, yes. But it turns out their stadium was also specially designed to retain noise. Unlike other open-air stadiums where noise naturally escapes into the ether, the Seahawks’ stadium has a second deck and canopy that bounces noise downward, creating a cacophony when the 12s roar.1 The Seahawk organization has taken great measure to enlist the 12s as part of the team—ensuring these fans can bring their collective might to the game and virtually play alongside those on the field.
The 12th Man teaches us that spectators can influence outcomes. But they must be engaged. They must be enlisted. That’s where you come in. I’ve written this book to engage every layperson on your importance in a cybersecurity game that is always in play. No one can blame you for not taking up the mantle sooner. But after reading this book, no one can excuse you for abdicating your responsibility either.
This book seeks to advance the dialogue by picking up where so many other worthy titles end: giving the business layperson an action plan he or she can execute immediately to be part of an organization’s cybersecurity agenda. If you still question whether it’s an agenda that should include you, realize it already does. Cybercriminals are counting on employee apathy or disengagement to unleash havoc on their targets. If you are not actively playing on the side of your company, you are likely unknowingly a pawn on the side of your enemy. If you value online freedom, if you care to know that the data you use to make decisions isn’t corrupted, if you insist that your connected devices are used for good and not harm, then you already share a mission with the cybersecurity professionals in your workplace. You have more in common with those of us in cybersecurity than you may realize.
At McAfee, the executive team takes development seriously. We meet quarterly to put the “work” back into “teamwork.” We coach one another, share intimate stories about our professional journeys, and recommit ourselves to being more authentic toward one another and our employees. At the end of those development sessions, we practice something we learned from the AIP Group, our partner in leadership development, called W.I.S.D.O.M. It stands for What I’ll Say (and do) Differently On Monday. Each of us makes our W.I.S.D.O.M. commitment to hold ourselves and each other accountable to practicing one key developmental area we have learned.
In the same way, I want to equip you with W.I.S.D.O.M. for this journey. That’s why, after each chapter, I’ll give you a practical prescription for what you can do on Monday to improve your organization’s cybersecurity posture. Some of the tips are banal on the surface but can have significant impact for your success. Others require more work, but the view is worth the climb. In every case, I’ll limit the prescription to no more than five pieces of W.I.S.D.O.M. in any given chapter, since I want to focus on the 20 percent of efforts that will yield 80 percent of results.
The advice you’ll find in these pages is applicable to a very wide spectrum of businesses. McAfee protects hundreds of millions of consumers around the world. We also protect the largest government and enterprise environments. Our solutions go from the backyard to the boardroom. We understand you.
The W.I.S.D.O.M. is also applicable to a very broad range of roles in the business—from the board member to the individual contributor. Cybersecurity is a mission too important to be left in its siloed technical domain. Each employee or stakeholder plays a part. This book covers a lot of ground to apply discipline across the organization.
In fact, to prepare for this book, in 2017, McAfee interviewed 50 chief officers across a variety of functions (including CEOs, CFOs, CIOs, CMOs, and more) to take their pulse on their firms’ cybersecurity readiness. We also conducted an online ethnographic study among 69 employees for the same reason (think of this methodology as an online focus group, of sorts, in which we gave respondents questions and exercises in which to participate and collaborate over several days). At the beginning of each chapter, you’ll see a direct quote from one of these research subjects to help further frame the discussion and prescription.
We need you, the 12th Man, in the fight with us. You can determine the outcome of this battle. This book seeks to teach you about the game in play, while giving you tools and tips to know when to cheer even louder. When you do, the enemy will know he has entered a house that will not succumb easily. We will ultimately persevere in a fight that we simply can’t afford to lose.
Now, let’s get you enlisted.