When I was a kid, back in England, I used to love Agatha Christie adaptations on TV. And Peter Falk in Columbo. I could have written a thesis on how Columbo and Poirot are, essentially, the same guy. They always had a nose for an ‘inside job’. The butler, the PA, the shifty husband! Yes, it could be formulaic, but I enjoyed it. And as I grew up and started building my career, I came to realize that real life was usually far more complex.
However, in the words of the scruffy lieutenant, ‘there’s just one more thing...’
Many cyber hacks have a similar profile to the classic ‘whodunnits’ in that they arise from inside an organization, from someone right under your nose. It could be a disaffected employee, one who’s just left, or someone being used, perhaps inadvertently, by an external hacker. When my business got hacked it turned out there was a chain of people involved, both malicious and careless, and I was a big link in it.
The malicious part is hard to spot. It’s difficult to know why someone inside your business - at whatever level they happen to be - may have a grudge against you. Maybe they think the board are paid too much; maybe they don’t like their line manager; maybe they’ve got a political axe to grind. Who knows, you can’t read minds. Which is why you need systems in place to guard against malicious insiders. That takes hard work, investment and awareness across the company, not just in HR and IT. It takes clearly defined and understood rules and procedures and safeguards.
The careless? Well, we’re all careless - I was, I admit it. But good training helps you cut down the chance of someone doing something dumb without realizing it. I wish I’d been better trained. I opened a seemingly innocent attachment and the consequences were - still are - disastrous.
CEOs can be as careless as the next guy, sometimes even more so. People do what we say. They’re deferential. They assume we know what we’re doing. But we need to be frank with ourselves and the people around us - we’re just as likely to screw up as anyone else. Once again, training is the key here. It’s my mantra now: do the training, and keep on training. The hackers never stop looking for careless people - and hacking people can be a whole lot easier than hacking computer systems.
There’s a good Arabic proverb that sums it up: Better a thousand enemies outside the house, than one inside.
Read the first post in this series, The perils of personal passwords for LinkedIn accounts.
Get the full story: Whaling for Beginners Books I and 2 available now
See our RESILIA™ section for more information about cyber resilience.