Remember your first IT job all those years ago? An afterthought with an office in the basement so your lone, geeky voice couldn’t cause a fuss… but look at you now! As tech has grown more important, the cooler geeks have become. Twenty years ago, if you liked Marvel superhero movies, Star Trek and comic books, the alpha males in your workplace, people like your arch-nemesis, Terry from Accounts would have pointed and laughed.
Nowadays, Terry uses a USS Enterprise mouse, drinks his vanilla lattes from a James Bond covfefe mug, watches Guardians of the Galaxy, quotes The Big Bang Theory and tries to understand ransomware from the notes you leave him.
What I’m trying to say is the meek didn’t inherit the earth, geeks inherited the earth – some even sit in corner offices. Empires crumble. Terries fall. We might wield the power but in the words of Spiderman’s Uncle Ben in the 2002 version:
“With great power, comes great responsibility”
Why all this millennium-era nostalgia? Well, if your company got hacked by teenage pranksters in 2000, it was a mild inconvenience and nothing that McAfee Antivirus probably couldn’t fix.
Back then, our biggest worry was whether the Y2K “bug” would reset every computer chip’s internal clock to the year 1900. Terry was even convinced that because planes didn’t exist in Victorian times, come midnight on January 1st, 2000, they would fall out of the sky, or worse… go back in time. Or worse still, the plane would land safely but everyone on board would somehow be dressed as Sherlock Holmes.
Nowadays, network security is a military operation; enemies are everywhere and come in the form of criminal organizations, industry competitors, your own government and… naming no names, nation states like Russia. Indeed, only yesterday, Vladimir Putin admitted that private “Russian patriots” could have hacked the US Election.
In other words, no one could have foreseen how high the stakes have become.
Employees are the weakest link
Whichever department you work in, the important thing to remember is that no matter how robust your network security protection, no matter that you inspect all the outbound SSL traffic you can, or your CISO assures you the company is immunized against ransomware attack… employees are always, always the weakest link.
Every single one of your colleagues is a potential idiot. That’s what the hackers are relying on, anyway. People like Terry. And you can bet your bottom dollar, the hacker’s exploits will breach the weak link in your company’s shields quicker than an uncloaked Klingon Bird of Prey’s photon torpedoes. This May’s WannaCry ransomware attack may have been the exception to the rule but most malware still needs one solitary brain cell, sorry… one solitary click on a spurious attachment or bad URL link.
So let’s imagine the unthinkable. In an 11:30 Diet Coke momentary lapse of concentration, you accidentally and infect your company with ransomware. What happens next resembles a scene from James Bond’s Skyfall.
It can happen to the best – even James Bond’s quartermaster and Mi5 IT Analyst “Q”
Twenty minutes later, you’re called into your boss’s office and twenty minutes later still, you’re escorted out of the building carrying a cardboard box containing your worldly career possessions – a Doctor Who mug, Death Star mouse and (for some inexplicable reason) a pot plant. From Terry. Game over, man! Game over!
Can my company fire me for infecting them with ransomware? What are my rights?
To summarize Kathleen Krueger, a writer for employment law resource Gotfired.com – if you were using the computer for work-related activity, in most cases, your company is not within their rights to fire you. If you were using the computer for non-work related purposes, it seems a company can terminate your contract. And with companies legally allowed to monitor your computer activity, your defense “It wasn’t me, it was Terry” probably wouldn’t stand up in an employment tribunal.
If you’re reading this and you were fired for opening an e-mail/attachment that contained a virus or malware and you were using the computer for work-related purposes, you may have been wrongfully terminated, so lawyer up.
So, whose responsibility is ransomware? While it’s your responsibility to remain vigilant, people like Terry can’t be expected to understand that a firewall doesn’t stop ransomware, he’s likely never heard of cloud
sandboxing, zero-days or engaging his brain before clicking that $100 Whole Foods gift voucher.
A staggering 39% of employees admit to opening suspicious e-mails. I’m no mathematician, but it’s no coincidence that almost the exact same number; 40% of employees say they have never or only annually receive security training. It’s the company’s responsibility to educate staff about potential threats. Some savvy companies quite brilliantly send phishing e-mails to employees to see who bites. “New employees fall for it all the time,” said Josh Aberant, postmaster at Twitter in 2015.
So, in summary, if you’re lucky, that next phishing e-mail attachment you double-click will be from your boss. If you’re unlucky this might happen:
And if it does, make sure that it’s Terry and not you that’s waved off with a nostalgic “You are the weakest link. Goodbye.”