Hackers want you to be boring
Why bullet points won’t protect your enterprise
By Nick Wilding and Jerome Vincent
How does this grab you?
Memo: Re RPA Device/Machine Identity
-
The need to protect individual and machine identities is urgent
-
API’s and bots given privileges are a source of threat
-
RPA approval bots automating invoice approval credentials must be updated on a regular basis
-
Bots can be hacked, so please review credentials
-
Click here for detailed overview and training
Would you click? You might be mandated to, but you’ll put it off till you’re not so busy. But you’re always busy, so you’ll make a note of the training and promise yourself you’ll get it done. And if it’s tracked – i.e., the system knows whether you’ve engaged with it or not – then you might even open up the link and let it run while you read that report you’ve also been putting off. People do. Of course, they do. So why not?
“That’s what happens with all of us in all kinds of organizations,” says Nick Wilding, Chief Innovation Officer at CyberRiskAware, who specialise in providing targeted security training in real-time and at the very point of need when someone does something risky. “We provide training moments that really matter – making that message a memorable and human one. Simply, it’s a story that sticks.”
And stories are the point. Many cybersecurity training specialists argue for the use of stories rather than bullet points. They advise that dry, technologically focused and densely argued training manuals don’t get across the real-life consequences of the threats which every organization and individual faces on a daily basis. We agree. Bullet points don’t hack it. And so, hackers thrive when cybersecurity training gets boring.
“There’s so much scope for creativity in this subject,” stresses Nick, “I mean, we’re talking about criminals, villains, secrets and lies, as well as the loss of huge fortunes, reputations, and even possible widespread blackouts and social chaos. It’s a huge opportunity to get creative!”
He’s right. So, let’s rewind and start the example we opened with again. But this time – as a story. One with a human focus and, of course, human consequences which the audience can relate to immediately.
We can do fiction:
Peter’s phone buzzed just as he was taking Rufus, the family’s languid beagle, for a walk. He fumbled with the phone as he pulled Rufus away a from the lamppost in front of his house. “Sarah! You’re working late…” he said, but his manager’s tone stopped him in his tracks. “We have a problem,” she said. Peter stopped walking. Rufus sniffed the pavement and then tugged at the lead, nothing interesting here his doleful eyes said. Peter resisted the pressure to move. “What’s up?” “Your invoice approval bot…” her tone was almost accusatory. “Yeah… works a treat… I get so much more done now…” “Listen, Peter,” she said sharply. Peter felt a cold bolt of lightning crack across his back. “What’s happened?” he asked almost in a whisper. “When was the last time… you updated its credentials?” “Oh… that… well… it was…” Peter’s brain stopped working. His synapses began firing different scenarios which ranged from the end of his career to being arrested by the intelligence services. “Why?” was all he could say. “Did you see the training that was sent out last month?” “Sure… yeah… I always…” “Your bot has just approved and paid 10 invoices worth six hundred thousand.” Rufus lay down on the pavement and sighed. Clearly he wasn’t going to get his walk this evening. And his master had turned from a healthy, ruddy faced athletic man in his mid-fifties into a pale, nervous wreck hardly able to keep a grip on his phone.
“I’ve commissioned short stories like that and sent them out so the audience could read them when they wanted to. You could record them like an audiobook too,” says Nick, “That’s a good way to link cyber threats to human consequences for the individual as well as the organisation, and then link it to human concepts like trust and resilience.”
We chose the example of Robotic Process Automation software used to ease workflows in, for instance, accounting or HR departments where sensitive data and money are involved, for a very good reason. They can be hacked too. And when they are, a lot of money can go astray. Bots like these are given high-level credentials so that professionals, like Peter in the story, can avoid mundane tasks and focus on higher-value work.
But creating bots – in effect, software robots – and giving them the credentials to authorise invoices or purchase orders can be risky. There’s no reason NOT to use the technology, but there is every reason to ensure that it is secure. And that takes training.
Focusing training on the right audience and then making it compelling and memorable is vital. That’s why you need to use stories. “Why not have some fun, add creativity to the message, entertain the audience?” asks Nick. “When you do one or all of those things then you get their attention, and the message gets through. That then protects them and the business.”
Software robots hacked by a villain with the ability to send out immense amounts of money!? Umm, sounds like a plot for a new Netflix series…
OMINOUS SOUNDS: WE’RE IN THE VAULT OF CYBER VILLAIN’S LAIR METALLIC VOICE We have taken over the accounting bots, Master – send in the invoices. SOUNDS OF COMPUTERS WHIRRING – PINGS MULTIPLY METALLIC VOICE Invoices delivered. Total value nine hundred and eighty eight thousand. Authorise! Authorise! WOOSHES AND BEEPS METALLIC VOICE All invoices authorised master. Robots stand down. The target is now totally, completely, gut-wrenchingly… bankrupt. EVIL LAUGHTER ECHOES AND FADES.
Listen to Nick and Jerome discuss stories and cybersecurity training in our short podcast on YouTube.