Users: here’s how not to handle an email security incident.
Around a month ago I was catching the train home after work. For those of you who don’t know Melbourne, my office is around the corner from Flinders Street Station which means I’m lucky enough to be the first stop on the line, which in turn guarantees I get a seat and can plug in headphones for the next 20 minutes until I’m home.
Something I’m not so lucky with is remembering things (shout-out to password managers), and on this instance, I realized I’d left my headphones in my desk at work. So, I had to sit on the train without headphones, trying to not make awkward eye contact with the person sitting opposite me.
The beauty of this, however, was I got to witness a textbook example of what not to do. There was a lady complaining to her colleague about her IT department. You know the usual comments, “they’re slow to respond, what do they even do all day,” the general kind of unfair reputation that IT teams receive. So, her colleague posed the question: “So what’s up, what did they do wrong?”
For this next bit, I’m going to give our two stars names so it’s easier to follow. Karen will be the name of the lady and the bloke will be Glen.
“Well, someone sent me a really important file for my boss via email but I couldn’t open the attachment,” Karen replied angrily.
“Ah so what did you do?” replied Glen, sounding slightly bemused.
“What anyone person would do, I sent it around to my colleagues, but it didn’t seem to open on any of their computers?” questioned Karen.
Glen looked slightly concerned but nodded his head in agreement.
“So, I ended up contacting IT and they were angry I called some guy directly instead of logging a ticket,” said Karen.
“Why didn’t you log a ticket?” questioned Glen.
“Well, when I first started they just told me to call this guy and number if there was ever an issue with my computer and needed help, so he then went and told me to log a ticket instead, so useless, and my boss really needs this file!” replied Karen.
Folks, I’ll let your imagination run with what could have happened with the rest of that conversation, but let’s have a look at this from an organizational security perspective and figure out what went wrong.
The Unaware User
In this example Karen and potentially Glen were both unaware of the fact that opening malicious attachments and sharing them around to other machines wasn’t a very good idea. Once a single user is compromised within an organization it makes it very easy to infect others.
The Escalation Process
Now I’m certainly not siding with Karen in how she chose to escalate this potential security attack, however at the same time, I do feel a bit sorry for the position she was in. She’s unaware of it even being a security risk and she doesn’t know the correct procedure to get help or even flag a potential risk.
How Can We Improve?
This organization is in a great position to start a user cyber awareness program, whether it be via phishing simulations, emails, posters, lunch & learn sessions, whatever the method of delivery: this organization doesn’t need people to be cyber resilience experts, but it needs to start the conversation around the risks of email.
It sounds like Karen wasn’t aware of the correct escalation process. If Karen had of been aware that the actions she’d performed had potentially helped create a larger security incident, would she have reacted any differently? A lot of organizations won’t have a dedicated escalation point for risk and security incidents, but this is a perfect example of when it would have been helpful.
With IT security, it’s not just an IT problem anymore. There is a convergence where it becomes an organizational & IT risk and this is important because it means all areas of the business need to come together to own this.