In an excellent interview for Black Swan, Mark Johnson convincingly argued that cybersecurity and business assurance are converging. Towards the end of the interview, Mark made a small comment about USB memory sticks that made me realize how woeful I had been in handling a security threat – and that many other people working in risk and assurance are probably guilty of the same weakness. This is what Mark said:
“I read that the STUXNET worm was possibly inserted into the Iranian nuclear facility by people who left USB sticks lying around that employees innocently used for storage.”
I too had read the same thing. It was widely reported. And Stuxnet is far from being the only relevant example. InfoWorld described the Flame malware by saying it
“…takes the infection of removable media to another level.”
So now everybody knows – or should know – that highly portable memory storage poses a security risk. And how have we responded? Not very well. Not well at all. I had read the news stories, but I did not change my behaviour. In total, I have about a dozen USB sticks scattered around the place, in various drawers and bags, and on keychains. Most of them were gifts. Some were freebies from conferences. Others were given by wannabe suppliers, as a cheap way of accruing goodwill whilst sharing their presentation slides, RFP responses and so forth. I have to challenge myself: why am I so trusting? The businesses that give me USB sticks may not know they are spreading malware, but they could be. Stuxnet and Flame prove that malware carried on USB sticks can penetrate through the toughest security that nations can afford to implement. Do I really expect the typical vendor or consulting firm to match that level of security? And given some of these firms claim to be expert at surveillance and threat detection, is there not a theoretical risk that an unscrupulous firm might engineer malware for their own reasons? I think so.
I admit to my carelessness in order to reflect on the weaknesses of human nature. Even if somebody works in a job where they should know better, many of us take things on trust, and fail to spot dangers. A lot of people in this field talk about being proactive. Well, are we really proactive? Is it proactive for the recipient of a USB stick to accept it, and use it, without question? Do we really need to wait until a successful attack is identified, and publicly communicated, before we change our ways? Maybe. I am writing about human nature, after all. But from now on, I am changing my personal policy, and I will be taking on the much harder challenge of driving change to corporate policies and the behaviour of my peers. As for businesses who have given me USB sticks in the past, I mention no names. Thank you for your previous gift – I do not doubt your past intentions. What is done is done. But a new year helps us to think of the future, and of positive change. If you want to impress me in future, change your ways. Set a proactive example for the rest of us. Once a line of attack is successfully established by one agent, its usage spreads more and more widely amongst criminals and subversives. The real likelihood of a software firm spreading malware to an unsuspecting RA analyst may currently be small. But we live in times where the number and range of cyberattacks is rapidly growing. Jonathan Evans, chief of the UK’s MI5 intelligence agency, described the current level of cyberattacks as ‘astonishing’. Change may be hard and will take time, but today is always a good day to be proactive.