We have just achieved a significant milestone with the release of a NoticeBored module covering the fiftieth topic in our ever-growing information security awareness portfolio.
Our topic for October is “cybertage”, meaning sabotage in cyberspace. As you might surmise from the stark red awareness poster in the style of 1940’s public safety warnings, cybertage is an age old subject. It even pre-dates IT: propaganda, for instance, involves deliberately using information to manipulate, undermine and - yes - cybertage an enemy. It is of little consequence how propaganda is delivered: leaflets, emails, stone tablets, CNN, wax cylinders, Blogger, Morse code, hilltop beacons, whatever. Message trumps medium. As with security awareness, it’s the content that matters most.
Today’s cyberteurs are truly spoilt for choice. They have the potential to attack their targets through the Internet and a variety of media, and as we learned from Stuxnet even air-gaps are an imperfect defense against sophisticated viruses. Our IT systems and networks make juicy cybertage targets in their own right. Add to that the possibility of smear campaigns spreading vicious rumours and half-truths through social media and ‘customer review and feedback’ sites, and the power of cybertage in the 21st Century becomes alarmingly obvious.
But wait, there’s more! Cyberteurs walk among us. They lurk in our midst, waiting to strike from within. All it takes is a careless, cutting remark, a snub from management or some other incident to turn our once-loyal colleague into a raving virtual-ax-wielding cyberteur, intent on getting his own back by inflicting maximum grief on the corporation.
Cybertage is a novel topic for the security awareness program, something deliberately out-of-the-ordinary that we hope will catch you and your colleagues’ imaginations as it did ours. However, we appreciate that this is a delicate issue, and that raising awareness could conceivably induce people who are so inclined to commit cybertage.
On balance, as with several other modules in the NoticeBored portfolio, we take the position that in the unlikely event that any disgruntled, unethical employees do become cyberteurs solely as a result of these awareness materials, the far greater number of security-aware and motivated colleagues who will notice and discourage, warn or report them represents an effective information security control. It seems to us that the alternative – blind faith and ignorance, ignoring the issue in the hope that it will go away – is literally worse than useless.
However, if customers feel that we are biased, and that we might even be undermining (cybertaging!) their information security arrangements, they can choose to avoid the awareness topic completely or be more circumspect or focused in how they approach it.
Our job as authors is to provide high quality ammunition for your security awareness program: it’s up to you to load, aim and fire!
So what does your security awareness program have to say about cybertage and 49 other information security matters? Feel free to contact me directly if NoticeBored sounds like something you could use. Mention this blog for Mates Rates!