Following the Federal Example
I was thinking about the risks we face in the world of commerce and that led me to take a look at the National Terror Alert Response Center on the Homeland Security news website. As noted on that site, “The National Terror Alert Response Network promotes homeland security emergency preparedness through awareness, education, community involvement and partnerships between individuals, groups and organizations.” In doing so, the site provides information on terrorist-related incidents and activities in the United States and abroad.
The part of the site that really caught my eye was a list of “Preparedness Guides” for a variety of situations directly or marginally related to terrorism.
The topics include: biological attack, chemical attack, hijacking, explosive attack, emergency evacuation plans, water in an emergency, food storage programs, first aid, emergency communications, gas mask FAQs, and more.
Here, we have the federal government at least trying to raise awareness and offer practical advice for some very scary scenarios. The government site caused me to wonder if we couldn’t do the same thing for our own organizations and enterprises when it comes to cyber crime, social engineering and other activities that pose dangers.
If the feds can create a color-coded risk level profile for the nation, maybe it’s time we created and monitored such a profile for our own companies. The reason that many attacks succeed is that we are unaware that they are actually attacks. And some of the approaches are disarmingly simple.
For example, in one scam, the bad guys simply left thumb drives in the lavatories of a major company. Naturally, when the drives were discovered by employees, they plugged them in to their computers — their network-connected computers.
The drives, as you might suspect, contained malware that enabled the crooks to temporarily roam at will inside the network (from outside) and to steal passwords and other valuable information. Yet, it all started innocently enough with someone being curious about a “lost” thumb drive.
This could happen in your company or in mine. But if we spread the word about such possibilities within our own gates, we’re much less likely to be surprised by digital soldiers climbing out of the virtual Trojan horse. If we issue a weekly, or at least monthly, alert about reported hacking and social engineering attempts, it seems logical that many of us would think twice before plugging an unknown drive into our network-connected devices.
A rash of such incidents — or other crimes — could result in raising the risk profile in our organizations. This profile could easily be forwarded to every employee and every other connected entity on a daily basis as an aid to awareness.
Every person who connects with our networks is, by default, also standing guard over that network’s integrity. If we can all learn about what kinds of threats to expect and how those threats present, our enterprises and our organizations will be that much safer from those who wish to do us harm.
The final piece, of course, is to emulate the Homeland Security site by offering advice on what to do when a threat is detected. In one simple example, a directive and reminder to avoid clicking on any links from questionable sources would go far toward reducing the amount of cyber crime perpetrated against ourselves and our organizations.