I recently spoke at a major US financial services firm in the mid west to a large employee audience about a wide variety of cyber security issues. As I was prepping my slides, I noticed that some of the issues we’re dealing with are highly personal, like having your social network account hacked (as has happened to 1 in 6 online adults according to the 2012 Norton Cybercrime Report). And others, like Stuxnet, the malware attack that took the Iranian nuclear facility offline, are the acts of one government (or two) against another. So the gamut of topics feels wider than ever. I worried that the audience might not be as interested in the big scary international espionage stuff but I was wrong.
Cyber security audiences sometimes treat the lecture like a Halloween haunted house. We really love the thrill of being scared, especially if it involves something so big, it’s not likely to directly impact us. People were “oohing” and “aahing” over the stories of malware infected memory sticks used to infiltrate the Iranian facility. The idea that some poor nuclear engineer might have inadvertently brought the malware into the site, clicked a Windows icon to set it off, all without realizing what he’d done gave people the chills. When our conversation turned to describing the type of phishing threat known as spear-phishing though, people acquired sober expressions and were taking many notes. That’s because in a spear-phishing attack, the individual employee is as likely to be targeted as a more visible, senior level executive. To a cyber criminal, your role doesn’t really matter, as long as your inbox is connected to the company network. They just need one person to click a link or open an infected attachment to drop their malicious payload into the system, where it can go off looking for financial information of value.