If not for an ordinary, non-technical computer user, the urgent IOS 9.3.5 security patch of 25 August 2016 would not have happened. Researchers assert that hackers have been exploiting this zero day vulnerability in the wild for over a year. Yet, the vulnerability was not detected via technology. A pro-democracy activist, Ahmed Mansoor, received a text with a link he considered suspicious and sent it to experts to analyze. Anecdotes such as this are growing in number. Motivated, informed users are spotting what technology misses, and at the beginning of the kill chain. This is what I like to call a teachable moment.
Enterprise cybersecurity leaders can use stories such as this teachable moments to better prepare for future scenarios. Cybersecurity is ultimately a people problem. Training alone motivates few to change and to learn. ‘Teachable moments’ bind a relatable or actual experience to what otherwise seems an estranged abstraction to employees. They also yield plausibility to the notion that they too can make a meaningful impact. Again, cybersecurity is a people problem, and people react to change much like Newtonian physics – unless motivated by an outside force, they tend to stay put..
This particular story has many different interesting elements that it is difficult to stay focused on just this one ‘teachable moment’. Here are a few essential highlights you can point out to your employees:
- An ordinary, non-technical user received a text with a link he considered suspicious
- Experts (Citizen Lab) analyzed it (also analyzed by LookOut)
- The researchers found that the link exposed iPhone/iPad users to scary malicious code that exploited a vulnerability unknown to Apple
- The researchers reported their findings to Apple
- Apple released the 9.3.5 security patch within weeks
- We are all a little safer
Employees can make a meaningful impact, without their becoming an expert and without buying them expensive tools with steep learning curves. But this won’t happen without motivating them. Why not use this IOS 9.3.5 security patch as a teachable moment? Mention doing so at your next board of directors briefing on cybersecurity risk management. Motivate employees to be human sensors instead of liabilities.