I would say I have never knowingly violated my company’s cybersecurity policy. And yet, I feel that the larger problem overall is that there’s not always clear communication about what the policies are. These things tend to be glossed over by managers all the time because they themselves are not always savvy as to what all the rules are. I think the reason for this is the majority of people do not understand all the implications of their actions when it comes to cybersecurity and protecting company information. And many people within organizations do their best in terms of trying to be safe using technology. But that is a constant battle being waged by IT groups within almost every company.
Respondent, McAfee Online Ethnographic Study
I grew up with a healthy respect for authority. My mom and dad were on the stricter side. They expected me to comply with reasonable rules. Do your homework. Be home by curfew. Clean your room. Respect your elders. The stuff of building a responsible and contributing member of society.
So when I got a voicemail from my mom early one weekend morning telling me someone from law enforcement was looking for me, I couldn’t reach for my phone fast enough.
My heart started racing as I listened to my mom frantically giving me this sheriff’s information.
I’m a much earlier riser than my husband. I figured I’d quickly take care of the phone call before he woke.
I dialed the digits with the (615) Nashville area code.
Have you ever been caught off guard when the person you’re calling answers the phone? It’s a weird feeling. You expect an answer. Yet, you don’t. That’s the kind of feeling I had when I heard his voice. I found myself searching for my words.
He wasn’t at the same loss for words.
Authority is a powerful force, especially for someone who has respected it for a lifetime. I had learned from an early age that, when someone in authority asks you a question, you don’t answer with a question. You simply answer.
Authority also compels you to correct the record. This guy couldn’t be right. But instead of my fight-or-flight trigger kicking in, raising red flags of suspicion (and questions), my overwhelming deference to authority had me explaining.
Now here’s where the story veers into the unexpected. Because you would expect that, if this guy was a scammer, he would immediately launch into his “but if you give me your credit card number, I’ll be sure to clear this up for you” pitch that would have undoubtedly sent my red flags flying.
He did no such thing. He just kept asking me questions to verify my background.
And I just kept answering.
Notice how I was in the full grips of authority, answering questions with even more information than required. This guy had me.
It’s around this time that my husband emerged from the bedroom, wiping the sleep from his eyes, yet alert enough to realize I was on a serious phone call—and it didn’t sound like work.
The sheriff was still confirming information with me. I hurriedly put him on mute to bring my hubby up to speed on the morning’s events.
(Now I was getting irritated with my husband for stating the obvious.)
And then my husband, barely awake, asked me the question that I should have asked myself before ever dialing the number:
You know when thoughts come rushing into your head so fast that you can play back the last few moments of your life in what is no more than nanoseconds? In my case, it was the past 30 minutes since I first picked up the message from my mom that I was now reliving in my head. For the first time in those 30 minutes, I had unmistakable clarity.
My mind was blown and my heart now racing for an entirely different reason. “Sheriff So-and-So” was still blabbering as my fight-or-flight response finally kicked in. I attempted to gather my thoughts and reengage the brain that had failed me.
I wanted off that phone call. He was surprisingly accommodating. No last-ditch hard push for a credit card number. No threatening that police would be on my doorstep to collect me in minutes.
Click.
Before I had even hung up, my husband was already on his cell phone, calling the Davidson County Sheriff’s Office.
You can likely guess the rest of the story. There was no Sheriff Johnson employed there. Just as there was no outstanding warrant for me for a missed court appearance—or anything else, for that matter. Apparently, this type of scam was quite popular as confirmed by the real policeman on the other end of my husband’s line.
But, just for good measure, I went to my own local precinct to confirm there was no blemish on this responsible-and-contributing-member-of-society’s record. I took that well-measured respect for authority, deeply ingrained in me, and asked the officer behind the desk if he was planning to arrest me. Relief finally washed over me when he looked at me as if I had just landed from Mars, but answered with the only word I wanted to hear, “No.”
* * *
You might be questioning your own judgment in buying a book about protecting your company from cyber threats from an author who just admitted to such a stupid mistake. You wouldn’t be off the mark. After all, I’ve already told you I felt like an idiot after the episode unfolded.
But before we both judge my actions too harshly, let’s consider that my story is just one example of what is happening literally thousands of times a day to unsuspecting victims like me. The cybersecurity industry describes such scams as “social engineering.”
You know one variety of this as “phishing,” which is when cybercriminals send malicious emails, pretending to be a trusted authority in their victims’ circles, asking they give up sensitive information or click on a link. We’ve come to somewhat underestimate phishing or the ingenuity of its creators. Phishing has come a long way from the “Help, I’m a Nigerian prince and I need money” days. McAfee detected more than a million new phishing URLs in 2018 alone.1 These are the URLs attached to those malicious emails to get you to take the bait.
And social engineering moves beyond the digital realm, as my situation proves. I work in the industry, so I’ve learned to look for those phishing emails. But I wasn’t expecting an old-school attempt over the telephone.
Criminals needn’t be sophisticated to be effective. They know that trust is an essential ingredient in our society. They also know that I’m not alone in my upbringing. Many of us are responsible, contributing members of society. We learned to be that way through old-fashioned values of respect and trust.
The last thing I want is for any of us to succumb to fearmongering that has become too commonplace in our world. Trust is essential for progress. And, yet, without being too trusting, we can also avoid being too fearful. It’s a fine line to walk, not unlike all the others you’re finding as we unwrap the complex topic that is cybersecurity.
Without rushing headlong into some end-of-times prophecy where hackers take everything we’ve got, there is a sobering reality that I can’t hyperbolize and it’s this: for any individual contributor reading this book, you are among your company’s strongest or weakest links in its fight against cybercrime.
Consider the power of that statement. Industry analyst Gartner predicted that companies spent more than $114 billion worldwide in cybersecurity products and services in 2018.2 That puts cybersecurity in the same zip code as other $100 billion-plus industries, like digital television and video, digital marketing and gaming.
Yet, that investment is no substitute for employees doing the right things and doing things right.
Military history across millennia records that the best defense is a good offense. Which explains why George Washington included this time-tested military advice in his writings even in retirement, nearly a quarter century after he led a fledgling nation to victory in its War of Independence. It serves as sound instruction when competing against an opponent. Draw first blood, and your rival will be more distracted defending himself than attacking you. In sports, teams try to put the first points on the scoreboard to earn initial momentum in a game. In business, companies seek first-mover advantage in launching a new product or service to capture early market share.
In cybersecurity, there’s no such thing as a “good offense” for a company. That’s because, by definition, companies aren’t the ones striking first. That would be the job of the adversary. Adversaries always get first-mover advantage. They apply the axiom that has served reputable categories so well. Our companies are destined to playing defense forever. In cybersecurity, the best defense is a good (if not great) defense.
I mentioned earlier that I believe most employees want to help defend their organizations. They just don’t know how to play their role effectively.
But let’s just say I’m wrong. Let’s assume, for a moment, you don’t have any altruistic motives toward your company. That’s not to say you wish your company harm. You wouldn’t intentionally throw your employer under a bus, for example. But maybe you’re the type who wouldn’t stand in front of a moving vehicle for your company either.
That would put you in a category of apathetic bystander. You figure your company spends enough money on cybersecurity. They hire people to do the job of defense. If you aspired to do that line of work, you would have sought the degree and the job to do so. You didn’t. You’re working in another area of your company and you expect that the work of cybersecurity is (and should be) handled elsewhere. If your company does suffer a breach, assuming you’re not ultimately the one found responsible for it, then it really isn’t your problem. They’ll pay the fines and maybe lose some customers. But life and work will go on.
If you find yourself in this category, you’re not alone. In fact, in McAfee’s online ethnography study of employees just like you, we heard similar sentiments offered when we asked the question:
It seems that at least some employees think cybersecurity is better left to the tools or teams within IT, if not escalated to the higher-ups at the company. Here’s the problem with both points of view.
First, there aren’t enough cybersecurity personnel to throw at the problem (back to the cybersecurity talent shortage I mentioned in the previous chapter). Cybersecurity demands all hands on deck.
And second, if you think the muckety-mucks at your company are the best suited to tackle the problem, don’t be so sure. Yes, the CEO and board have a responsibility to set a tone from the top that encompasses cybersecurity. But 60 percent of C-suite leaders and IT executives say the person directly responsible for information security is not a board member.3
It’s understandable that a pass-the-buck mentality for cybersecurity is so rampant in organizations. The cybersecurity industry has coined a condition known as “breach fatigue.” It’s what happens when we allow the noise of breaches in our environment to deaden our sense of urgency to respond. We either believe someone else will eventually pay the price on our behalf (even though consumers ultimately bear the brunt of breaches through higher prices) or we surrender the control we truly have over our own destiny by assuming there’s nothing we can personally do about breaches to prevent them.
This book attempts to resolve the latter perspective by giving you practical steps you can take to help your company prevent a breach. That’s about giving you what you can do. But if you find yourself in the former camp, let me take a moment to offer why you should care.
A few weeks ago, I received an email from someone in our HR department. She forwarded an email she had received sent to her personal email account. It appeared to come from me. It asked that she reply with instructions on how to change my automatic payroll deposit. The sender’s email address came from a personal email account, presumably mine.
Luckily, her spider senses kicked in, and she forwarded the email to my work address with a simple question:
It didn’t take me long to respond with an emphatic no. We reported the incident to our Security Operations Center (SOC). They traced the email and found that a hacker had compromised her personal email account.
I’m certain that, if I were to look up the job description of that HR employee, it wouldn’t mention “cybersecurity” as a requirement or expectation. I’m willing to bet it wouldn’t contain language that demanded she be vigilant against cyber threats to employee identity as a core responsibility. Reaching out to me directly to confirm the email she received was legit wouldn’t have been in this individual’s “job description.” Yet, that’s exactly what she did, and I’m better for her sound judgment and concern. Her training stopped her from responding with copy-and-paste instructions from our intranet site explaining just how easy it is to change one’s direct deposit. I marvel at my fortune that her instincts made the job of that hacker a lot harder. And she saved me indeterminate hours of frustration in attempting to reverse a bad outcome. Crisis, for me, averted.
Sometimes hackers are after more than our companies. Sometimes, they’re after us. Our employers have a wealth of information about each of us, including our social security numbers, our bank account details (as my direct-deposit example proves), and more. The most notable breach in recent history that targeted employee records happened to the U.S. government, when its Office of Personnel Management (OPM) was compromised in a breach of more than 21.5 million records. Among the plunder collected by adversaries? Extensive background information of individuals who may not even have been current or former employees.4
If that’s still an insufficient argument to convince you to care, how about this: the stakes of a data breach for your company have never been higher. That’s thanks to regulators that are piling on to help motivate companies to protect customer data. The General Data Protection Regulation (GDPR) applies to all companies doing business or monitoring the activities of subjects in the European Union (EU). Companies can lose up to 4 percent of annualized global revenues if found to be noncompliant with GDPR’s standards for collecting and protecting customer data. In 2018, Ponemon reported the average cost of a data breach was $3.86 million—and that was largely before GDPR’s enactment.5 Any company with more than $100 million in annualized global revenues that does business in the EU can already expect to pay more—potentially considerably more, depending on its revenues—for a breach that violates GDPR.
The risks of a data breach are significant. The costs for a data breach are higher still. Don’t assume your company will survive the next breach just because it may have done so in the past. Even if it does, the financial pressures may lead to other consequences, up to and including layoffs. If you’re inclined to retain your existing job and see your company continue as a going concern, you must assume cybersecurity as part of your job description. Enemies love abject apathy on your part.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), employees are directly or indirectly responsible for over a quarter of all breaches. In more than 60 percent of these cases, a careless employee is to blame. That means nearly 20 percent of all breaches are at the hands of negligent employees.6 It’s the reason employees remain among the strongest or weakest links in their company’s cybersecurity defenses.
Thankfully, employees can take many steps to be a part of cybersecurity’s solution, rather than its problem. First, be alert to social engineering scams. Cybercriminals know how to exploit the trust of employees. And their methods are getting better. Spear phishing is the tactic of specifically targeting certain individuals or companies through a malicious communication, such as an email. As opposed to traditional phishing, which is more of a spray-and-pray tactic used by cybercriminals (in other words, very little, if any, targeting is in play), spear-phishing campaigns are much more effective since the criminal goes to great lengths to personalize the message.
Whaling is one such variety of spear phishing, where the adversary impersonates a high-profile executive of the company, such as the CEO or CFO, and requests action from an unsuspecting employee. For instance, a criminal masquerading as the CFO could target a rank-and-file employee in the finance department and request that he transfer company funds to an account.
Social engineering is one of the adversary’s clearest weapons against naïve employees. According to Verizon’s DBIR, 4 percent of people will click on any given phishing campaign. Perhaps most surprisingly, these victims aren’t prone to learning from their mistakes. The more phishing emails someone has clicked, the more likely he is to do so again.7
Social engineering is highly effective at multiple levels of the organization. Yes, even against executives. In 2018, Forbes reported that nearly 80,000 firms across the U.S., UK, and Europe sent more than $12 billion to adversaries launching a highly targeted, five-year whaling campaign. Who were the employees duped into helping the adversaries fleece their companies? The companies’ own CFOs. It turns out the adversaries had a targeted database of more than 50,000 CFOs to use as their “marks” in the scam.8 In this case, the cybercriminals used highly personalized emails, seemingly sent by the CEO, to compel the CFO to immediately complete a wire transfer. We all can learn from this expensive lesson. Any one of us can be conned.
So the first piece of W.I.S.D.O.M. for employees is do not fall for the phish. Look for the telltale signs of a malicious email such as the sender’s email address. Don’t click on a link from an unknown source. Instead, search for the company or go to the domain directly. But beware. Pharming sites are also popular, where cybercriminals stand up malicious websites to lure victims, then harvest their bounty be it financial or other personally identifiable information. Even by typing the domain directly, you may still land on a site with malicious intent and/or content.
Beyond not falling for the phish, be proactive and report it to your IT or security team immediately. According to Verizon’s report, companies have 16 minutes until someone takes the bait with the first click to a phishing campaign. When does the first report come in to the security team? After 28 minutes.9 During those mere 12 minutes, time is on the side of the adversary, and in their hands, time becomes yet another weapon through which they can inflict significant harm.
As my confession at the beginning of the chapter illustrates, social engineering doesn’t have to be high-tech to be effective. Phone scams and good old-fashioned theft of carelessly unattended laptops, USBs, and mobile devices can also do the trick.
But, while old-school tactics could fit the bill, know that adversaries continue to get smarter and better through technology to make social engineering even more effective. Artificial intelligence (AI), the stuff that makes our lives easier in so many ways (such as by our favorite search engine completing our term or phrase before we’ve even finished typing it), is the latest weapon in the arsenals of adversaries and defenders alike. AI promises to give adversaries even more precision in executing their phishing campaigns. They can target unsuspecting victims with more accuracy. And they can use AI to craft very personalized messages in large volumes.
The new breed of social engineering that results combines the targeted effectiveness of spear phishing with the scale of traditional phishing. In other words, phishes will be harder to spot in the future. The online world is increasingly a masquerade ball, with all the magic of wonder and dazzle the Internet promises. But the party is more crowded every hour with threats like phishing in ever craftier disguises. Your vigilance in being aware of this threat must increase over time as well.
Since adversaries are becoming more sophisticated, companies are spending more on cybersecurity than ever before. But those defenses are only useful if consistently applied and updated. You may think that the responsibility largely falls in the lap of the CISO and his department. You’d be right—up to a point. Employees are equally responsible in ensuring those patches to laptops, mobile devices, and other personal technologies remain current.
If your IT department pushes a patch during regular business hours that impacts your productivity for a few moments, please don’t complain. Remember, cybersecurity doesn’t follow the traditional rules of IT, where software patches can come and go at the leisure of the business. If an adversary is assaulting your organization with the latest online scourge, your cybersecurity team doesn’t have the luxury of sitting and waiting for a “convenient” time to push a security update to employees’ devices. Time is the most coveted weapon in the adversary’s arsenal. Time is certainly not on the side of your company. A little understanding and a lot of compliance on your part in accepting these security updates are most welcomed by the cybersecurity team doing its job to protect you.
Finally, there’s no substitute for strong hygiene when it comes to cybersecurity defense. Sometimes the most effective measures are also the easiest to take. There’s probably no better example of this than one from the healthcare industry. In the nineteenth century, Hungarian doctor Ignaz Semmelweis sought to solve a mystery. He wanted to know why so many women in maternity wards were dying of fever after childbirth. In particular, he noticed the death rate was significantly higher in wards tended by all-male doctors versus those served by all-female midwives. After lots of experimentation, including changing the position of the women during childbirth and even asking priests to avoid walking past survivors in the ward when paying respect to a recently deceased mother (lest these priests actually frighten the other mothers into a fatal fever with their very presence!), Semmelweis had his answer.
It turns out that the male doctors performed autopsies. The female midwives did not. Following an autopsy, the same male doctor may deliver a baby, in the process infecting the mother with cadaverous particles from the corpse he had dissected. Semmelweis insisted these male doctors cleanse their hands and instruments with a chlorine solution, beyond simple soap-and-water, to completely remove any cadaver particles from their hands. He didn’t have any knowledge of chlorine as a disinfectant. He just knew it would be highly effective at removing the objectionable odor associated with remnants of cadavers on physicians’ hands and their instruments. While the discovery of germs was still several decades away, Semmelweis’s new protocol was smart medicine, nonetheless. The death rate from childbed fever among women in the male-attended ward subsided as a result. Lucky for us, his accidental discovery paved the way for decreased mortality rates in medicine.
Even today, hand washing remains one of the most powerful tools in public health—from preventing infections in surgery to avoiding the flu. It requires discipline, for sure. But it takes only a few seconds (for the bathroom visitor) to a few minutes (for the surgical professional) to effectively inoculate ourselves from a host of bacterial and viral enemies in our environments.
Taking a page from our healthcare professionals, employees can practice commonsense hygiene to protect their companies from a wide variety of adversarial threats. Ever allow a website to automatically save passwords or use your mobile or laptop device to store them? Don’t. In just one case I can give you, an employee was using her mobile device to store all her passwords, including the one for her O365 email account. A cybercriminal hacked her mobile device and stole the O365 credentials. The now-compromised credentials were used to access her O365 account, with the hacker sending phishing emails, appearing to come as legitimate emails from this employee, to a host of executives and other employees in her O365 address book. Credential theft is particularly difficult to detect by an organization. After all, the access to the employee’s O365 account looked legitimate, for all intents and purposes. It wasn’t until diligent employees—the recipients of the attacker’s email campaign—sounded the alarm that the threat was detected and contained.
I understand password management is difficult. Our brains weren’t wired to remember hundreds of passwords across various devices, sites, and applications. To make matters worse, proper cybersecurity hygiene requires that you change those passwords regularly, making retention of them all the more difficult.
There are tools on the market such as password managers to help you generate and retrieve complex passwords. If a tool isn’t desirable, you’ll need to use mnemonic tricks to help your memory. Things like finding a memorable phrase ( Jack and Jill went up the hill to fetch a pail of water), using the first letter of each ( JaJwuthtfapow), using a combination of uppercase and lowercase letters and symbols ( J@Jwuthtf@pow) and adding a number for good measure ( J@Jwuth2f@pow). According to site HowSecureIsMyPassword.net, the password I just created would take a computer about three million years to crack.
Password management is essential to sound cybersecurity hygiene. Unfortunately, it’s not practiced nearly as much as it should be. As recently as 2018 in one state, the number of government officials using “Password123” as their password was nearly 1,500.10 Talk about making the job of a hacker even easier!
Next, be as mindful of your physical security as you are about online security. As I mentioned in the last chapter, the worlds of physical and cyber security are increasingly converging. Not only are cybercriminals targeting physical infrastructure in their attacks (including power grids and manufacturing facilities), but compromised employee devices are an on-ramp to company systems for cybercriminals.
One of the most notable nation-state attacks in history, Stuxnet, occurred through a compromised USB device. A USB device allowed the U.S. government to stall the nuclearization of Iran by giving the former access to Iranian nuclear centrifuges. As I continue to say, a cyberattack doesn’t have to rely on next-generation technologies to be effective.
So you’re not the type to work in a nuclear facility? Chances are you at least have a computer you use for work. If you’re like 25 percent of U.S. employees, you leave that computer on and unlocked when you go home at the end of the day.11 That’s tantamount to not washing your hands after using the restroom!
Last, but not least, use your company’s virtual private network (VPN) whenever accessing or transmitting sensitive data. Public WiFi networks are cesspools for enterprising criminals. Cybersecurity hygiene in this area is weak—even among cybersecurity professionals! At the industry’s largest annual event, RSA, which draws more than 40,000 cybersecurity professionals each year, self-professed hacker @Grifter801 tweeted that he had collected more than 33,500 non-encrypted passwords in roughly 26 hours of the show’s debut in 2019.12 The seductive siren song of public WiFi is a powerful force, irresistible to even the most trained cybersecurity professionals among us.
* * *
The match-up simply isn’t fair. Not only is your company destined to play defense against cybercriminals, but it must do so with near-perfect precision. Attackers need only score one time to inflict considerable, if not irreparable harm. No investment in cybersecurity technology is any match against a combination of willful adversaries and apathetic, if not ignorant, employees co-opted to their side of the battle.
But here’s the good news. A cybersecurity protocol that harnesses the power of technology, tools, and people working in harmony can provide an impressive defense against adversaries. That doesn’t mean adversaries won’t score points. In fact, it’s not a matter of if your company has been breached, but rather if it knows it has. While breaches are inevitable, their damage needn’t be catastrophic. When companies enlist a formidable force of educated, vigilant, and determined employees committed to their successful defense, the fight against the adversary gets that much fairer.