 |
| Image from Pixabay |
Once
upon a time there were three little pigs who went out into the wide world and
built each their own house. The first piglet got off easy and built a house of
straw. The second built a somewhat sturdier wooden house, while the third went
to great lengths and built a solid stone house.
You
probably know this fairy tale, but for the sake of completeness I will finish
it. The big bad wolf wanted a pork chop and blew down the straw house, after
which he devoured the resident. After a while he was hungry again and rang the
bell at the wooden house. The resident saw through his smart doorbell who was
at the door and did not open the door. The wolf took a deep breath and managed
to knock down this structure as well. Piglet number two was also eaten all up.
And as happens in fairy tales, not long afterwards it was the turn of the third
house. The resident, who had already seen the wolf coming through his security
cameras, did not open the door, of course. When the wolf realized that he
couldn't possibly knock down this sturdy house, he climbed onto the roof and
slid down the chimney. However, the piglet was aware of this vulnerability and
had taken measures: a pan of boiling water was ready at the bottom of the
chimney. Wolf in, lid on, and the piglet lived happily ever after.
The Three Little Pigs is an English
fairy tale from the 19th century and has a clear message: if you’ve done the best
you could, you will come out stronger. I am always amazed at the atrocities
with which fairy tale writers bombarded children in those days, but it must
have been the zeitgeist. However, the fairy tale is not only about zeal, but
also about threats. “Watch out, children, there are all kinds of dangers
lurking in front of you! The better you arm yourself against it, the greater
the chance that you will come out of it unscathed.”
I'm
a part-time fairy tale teller. Not only every Friday morning, when I write this
blog, but sometimes during my other work as well. Like the unknown creator of
the above fairy tale, I also point out threats to people and have them
implement measures to reduce risks. Usually with business language and a
technical slant, but sometimes I allow myself a story to make something clear.
One of my favorite stories is that of Joost Tonino , former public prosecutor
in Amsterdam. Tonino had put his virus-infected private computer on the street for
the refuse collection, but a taxi driver was ahead of the binman and delivered
the PC to Peter R. de Vries (a Dutch investigative journalist who was murdered
in the streets of Amsterdam last year). It turned out that confidential
business data and child pornography were on the pc. End of career as Public
Prosecutor. I tell this story when we discuss the careless disposal of data
carriers during risk analyses. But also in other situations I like to use an
anecdote or metaphor to explain something.
Yesterday
I sat down with a department MT to discuss compliance with certain rules. The
point was that that department often receives requests from another department
to do something that violates the security policy. They then want an exemption
to get it done anyway, because otherwise their system cannot function. When we
show them how to do it, they sometimes say: “We can't do that on our system!”
However, if they take the time to look at it seriously, it turns out it can be
done after all, although sometimes some effort is needed. Oh, they're just like
kids, who often say that they can't do something, even though they've never
tried it. And if, after some encouragement, they turn out to be able to do it,
they are very proud of it.
And
so information security officers constantly try to influence people's behavior
in such a way that they stick to the rules. This is done through the formal
route – policy, standards, instructions – but I prefer to focus on awareness.
Because if I manage to make you understand why you should or should not do
something, if you understand that you or the organization otherwise run risks,
then you will be more willing to take the right turn.
We
are still in the middle of the European cybersecurity month. So there are still
all kinds of activities going on. Take advantage of it and show that you are actively
working on your security awareness.
Thanks to Wendie for
the inspiration.
And in the big bad world…
This section contains
a selection of news articles I came across in the past week. Because the
original version of this blog post is aimed at readers in the Netherlands, it
contains some links to articles in Dutch. Where no language is indicated, the
article is in English.
- the
police enlisted Frans Bauer (a Dutch singer) to fight against WhatsApp fraud. [DUTCH]
- Young
people also fall for phishing. [DUTCH]
- Of
course, a criminal can also just call you and ask you to install malware. [DUTCH]
- criminals
are taking advantage of the energy crisis. [DUTCH]
- the
Center for Security and Digitization in Apeldoorn has been opened. [DUTCH]
- social
media don't check if you're really of age. [DUTCH]
- In certain countries, spyware is a serious problem for journalists.
- this website teaches ten lessons on how
fraud works (but those lessons don't work on my iPad). [DUTCH]
- the
Tax and Customs Administration is popular with some criminals. [DUTCH]
- the
cabinet must answer to the House of Representatives about this. [DUTCH]
- You can log into websites with passkeys without using a password.
.jpg)
No comments:
Post a Comment