Dont press red buttons.

Dont press red buttons.

Doodle - don’t press the red button!

 

Imagine, you’re on an aeroplane, and fitted to the back of all the seats is a big red button with a sign beneath which reads - “Do not press this button”. My question is, how long do you think it would be before the button was pressed?

I recall seeing something similar in an episode of “Father Ted” where after an agonising interval Doodle eventually succumbs, presses the button, and the plane – well I’m not sure what happens to the plane?

The Oxford dictionary defines curiosity as “a strong desire to know or learn something”. It is a faculty that we sapiens all have, and is responsible for some astonishing things. Curiosity is behind mostly everything we do, from climbing mountains to space exploration – we want to know what’s out there, what’s around the corner, what’s in that email.

Dr. Zinaida Benenson from Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) investigated this trait and discovered that up to 56 percent of e-mail recipients and around 40 percent of Facebook users while knowing of a potential risk to their computer, still clicked on a link from an unknown sender. And the main reason was simple curiosity.

In short, it seems that despite any amount of training, a well-crafted, socially engineered email with malicious intent, is going to get through our systems and be opened by a member of staff.

We must accept that we will be infected by ransomware and a host other nasties let into our networks by staff that have been duped by a rogue email.

It is a difficult one to mitigate against, but I think that there are some simple low cost solutions that will help:

  • Periodic education for staff on phishing, whaling, social engineering and associated dangers.
  • Improved reporting of suspect emails to organisations IT
  • Regular staff training on what to do once a suspect email has been opened
  • Regular updates to staff on what the latest virus issues are – need horizon scanning for this.

There are also technical mitigations that will need to be funded depending on the type of data being protected, but this will be a business decision.

As an example of how simple this training can be, you could send the link below to staff with this explanation - “This is a representation of what happens to our network when you open a rogue email out of curiosity – if it feels wrong, it probably is – so don’t – report it instead.”

https://youtu.be/Rzg6XhAjxMg

                                                                                   John Ball AFBCI