In a recent talk that I gave to a group of accountants for various city governments I asked how many of the attendees were in IT security.  As you might expect, no one raised their hands, that’s the IT department’s job.  But are they the ONLY people responsible for IT security?

Using LinkedIn as an example, I gave a simple demonstration on how a person that is targeting specific information can locate an employee and begin a spear phishing campaign that is almost certain to be successful.  The number of hands that went up following my simple demonstration asking questions about their own past actions let me know that they now viewed IT security as an integral part of their jobs.  Asked just a couple of minutes before the demonstration how they viewed IT security, all stated that they felt that IT security was inconvenient and a hindrance to their job performance.  After the presentation they began to ask what they can do to help keep the network secure.  What brought about this 180 degree turn in their attitudes?

We as IT professionals all recognize that in many cases the weakest link in IT security is the user.  The key has always been how to get the users to truly CARE about IT security in such a way that end users stop being our adversaries but actually become our allies in the war against hacking.  The key to our success in getting everyone onboard; is to bring the message home.  My demonstration of how I could use LinkedIn to target a potential victim brought did just that.  The audience quickly realized that they, the people responsible for holding some of the most sought after and valuable information could easily be duped and that THEIR name would be on the front page of the local newspaper reporting that a criminal had successfully manipulated them into giving them the keys to the kingdom.

Maybe we need to come up with a catchy slogan that’s posted around the offices, I am reminded of the Smokey Bear campaign… “Only YOU can prevent hacking”!

by Neil Matchan