The Oxford dictionary defines curiosity as “a strong desire to know or learn something”. It is a faculty that we sapiens all have, and is responsible for some astonishing things. Curiosity is behind mostly everything we do, from climbing mountains to space exploration – we want to know what’s out there, what’s around the corner, or what’s in that email !!!!!.
Dr. Zinaida Benenson from Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) investigated this trait and discovered that up to 56 percent of e-mail recipients and around 40 percent of Facebook users while knowing of a potential risk to their computer, still clicked on a link from an unknown sender. And the main reason - simple curiosity.
In short, it seems that despite any amount of training, a well-crafted, socially engineered email with malicious intent, is going to get through our systems and be opened by a member of staff.
I think we must accept that we will be infected by ransomware and a host other nasties let into our networks by staff that have been duped by a rogue email.
It is a difficult one to mitigate against, but I think that there are some simple low cost solutions that will help:
- Periodic education for staff on phishing, whaling, social engineering and associated dangers.
- Improved reporting of suspect emails to organisations IT departments
- Regular staff training on what to do once a suspect email has been opened
- Regular updates to staff on what the latest virus issues are – need horizon scanning for this.
- Cyber input to new joiners to the organisation.
- Cyber input to staff on promotion or moving within the organisation.
- Penetration testing to staff using rogue emails and content available about the organisation from the web. Well worth purchasing a web address similar to the organisation, they are usually available.
For many years, the military have operated successfully in the management of information by using the “need to know” principal. That is to say, you are only given access or told information that you need to know, to successfully complete whatever it is you’re doing.
In this way, the amount of information available to a malefactor is limited, and the risk already understood. If we applied this principle rigorously to our data, and the access that staff have to it, the risk of massive data breeches could be significantly reduced. I accept that there may be some cost to this idea, but I think that if we conclude that we will suffer a hack of some kind in 2017, this could well control the damage.
As an example of how simple this training can be, you could send the link below to staff with this explanation - “Using the medium of modern drama, here is a representation of what happens to our network when you open a suspicious email out of curiosity.”
If it feels wrong, it probably is – so don’t open it – report it instead