What would make you take action?Tuesday, April 6th 2010 @ 7:35 AM (not yet rated)
If you've read any of my pieces on the Honey Stick Project, you may recall that this is an experiment to see how vulnerable people are to risks on the Internet by dropping USB drives in various public locations. If the devices get picked up, my data shows that over 65% of them get plugged into computers and used in a way that I can detect, which suggests that people are putting their computers and networks at risk of getting infected with dangerous viruses that can steal vast amounts of sensitive data. If this conclusion is correct, then we need to get people to take action on educating staff about risks that technology safeguards can't adequately address.
What I would like to do is find a way to get people who find these devices to take positive action toward increasing security awareness education in their organizations. Ideally, if they could let their IT managers know that their organization is vulnerable, and that they could obtain data about how their organization has performed in this experiment, I think there's a good chance the IT managers would use the data to illustrate the need for awareness to their management. But this is often a sensitive topic for people, and there is always the chance the whole idea would just scare people so much that they would not take any action for fear of the repercussions on their reputation and jobs. So, I'm looking for good ideas that could help all of us in getting managers to see the data for their organizations, and take action on education and awareness.
My first idea is to have a minor warning upon opening files on the Honey Stick devices that this is just a demonstration to let people know they could have been putting their systems at risk by opening the files. Then, the message would let them know that if they feel this is an important issue, they should take the device and drop it near or in their IT managers' offices. This way, the original finder can remain anonymous, and it leaves an opportunity for others to find and use the device before turning it in. When the IT manager finally gets the device and examines it, I am hoping they will get the message that there's a good chance their staff has used it, putting their systems at risk; and they can get data about its usage by contacting me.
What do you think about this approach? Remember that these devices have no programs or active content on them. It's just simple HTML code with an image URL that lets me log the IP address of the system where the device was opened. So, there is no risk to an organization's systems from these devices.
What content would you put on the devices that would entice people to take action, and get the data to the people who know there is a problem, but have not had the data to justify taking action on educting their staff? What would make you take positive action?
Or do you not think this is something worth worrying about? Please send me your comments, or add a comment on this blog.