Welcome to the SecAware blog

I spy with my beady eye ...

25 Feb 2017

28 days of awareness: day 24

As the three awareness streams start to trickle and then flow, we are creating opportunities to bring staff, managers and professionals 'onto the same page'. 

From the outset, NoticeBored was designed to provide relevant information and guidance to educate and motivate those three key audiences in terms and formats that work for them and to encourage them to interact with each other around the monthly topic. 

Although we talk about the 'three parallel streams of content', they all cover the same topic and we expect the streams to converge in practice. The informal social aspect is an extremely valuable part of an effective security awareness program. It lifts the awareness content from the paper into the corporation at large, influencing the culture through casual chat, repetition and endorsement. 

Today we wrote the management and executive awareness briefings on ransomware, completing the management stream too. Both briefings take a management perspective, highlighting the business impacts of ransomware attacks and describing at a fairly high level security controls to address the information risks. Strategies, policies, compliance activities, metrics and governance are the management concerns we discuss in relation to ransomware.

Tomorrow we press on with the professionals' stream. Some rather inane comments from a panel discussion at the RSA conference about ransomware taking over smart door locks and thermostats reminds me to bring up the ransomware threat to the Industrial Internet of Things - things controlling industrial machinery and processes, in power stations, chemical plants, factories, distribution warehouses, industrial labs and, I guess, missile silos - safety and business critical things some of which may be part of the critical infrastructure. Compared to the level of expertise hackers would need to meddle sensibly with the settings on, say, an electrical generator, a smart valve on a high pressure oil pipeline, or a fly-by-wire plane, simply locking up the whole control system would have an equally galvanizing effect on the companies and individuals responsible. Whether their aim is to make a few Bitcoins or bring down the infrastructure, it's a sobering thought for the geeks busily smartening up everything in sight. Maybe we should mock-up another ransomware demand in the style of a glass cockpit panel displaying something along the lines of "Pay up to land safely". Makes you think, eh?

Actually, that comment also reminds me that we need to review the staff and management materials too before the module is completed, making sure all three streams remain aligned. The possibility of ransomware attacks on things has relevance and interest to all three audiences, meaning that it might just spark those casual information risk and security conversations that we strive to achieve through the awareness program. Writing the module is an iterative as well as a creative process ... and we have just 4 days left before March.  

Gary (Gary@isect.com)

PS Talking of streams, we've been in drought. The long hot NZ summer came to an end about 2 weeks ago with barely enough rain to start refilling the aquifers beneath us. We and our animals rely on spring water pumped up to the tanks with an ancient Lister diesel powered pump, the chug-chug-chug being one of the characteristic sounds of rural New Zealand. The drought reduced the spring flows to the point that the neighboring farm ran dry for a while.  We scraped though this year and reconsidered our critical infrastructure. No smart things here, I'm relieved to say our lovely old Lister is dumb-as and built to last.

No comments:

Post a Comment