Secrets, Rumours and Lies
Blog posted by: Nick Wilding and Jerome Vincent, 05 June 2019.
We all tell stories. Stories are all around us. They are how we build business, cultures, societies, and relationships. That’s what stories are for. They instruct us, inspire us, and warn us.
That’s why storytelling can be an integral part of an effective enterprise-wide transformation strategy to deliver an effective cyber resilience awareness campaign programme.
Nick Wilding, AXELOS’ General Manager of Cyber Resilience, teamed up with author Jerome Vincent for a storyline around a cyber-attack on the NHS – inspired by a 2-part Holby City/Casualty crossover episodeearlier in March 2019
A famous actress is in an NHS hospital. No one knows why. There’s speculation in the press, some of it salacious. The hospital management are keen to protect their patient’s privacy. The consultant of the Trust which controls this hospital, amongst others, knows who the actress is and assures the PR manager that all the Trust’s records are protected by market leading security products.
One of the senior directors, an eminent consultant, says that if the secret gets out, it will be because of a loose-tongued member of the clinical staff – they love to gossip.
A young hacker working with a criminal gang which carries out ‘push payment’ fraud, targeting usually older people by claiming to be their bank or the police and calling them up to get them to move their money to ‘safe’ accounts, is intrigued by the mystery of the hospitalized celebrity. Perhaps, he can hack into the Trust’s systems and gain access to the medical records. A newspaper would pay a mint for the info.
Another gang member sees a wider opportunity – think about all the data on elderly people and their numbers and even some information about their lifestyles and incomes. That’s a whole new set of people they can con out of their money.
The Trust’s PR manager sends out a memo with basic instructions about cyber-security as well as the necessity of not talking about patients in general but this famous one in particular. The fact is that the star is having treatment for cancer and she doesn’t want the world to know yet.
The hacker decides the best way to get into the hospital system is to go ‘whaling’ – look for someone high up who can be socially engineered. He crawls the web for names, finds two – the Chairman and the consultant.
He notices that the consultant often gives talks about the role of digital in healthcare – from AI to robotics – and also talks a lot about cyber-security. After the WannaCry attack on the NHS, he was on news programmes and even did an op-ed in The Times.
His last article was in SC Media Magazine. A confident defence of the NHS’s ability to avoid any kind of repeat of the WannaCry debacle.
Bingo! The hacker pretends to be from a tabloid newspaper and sends out an email to the consultant as well as the PR Manager for comment on how certain they are that the celeb will be protected.
He gets two replies – one an out of office – and one a short statement that there is nothing to comment on.
The hacker then creates a malware program and embeds it in what looks like a PDF of a magazine article. He sends back a reply to the consultant saying ‘But what about the rumour in this Australian Gossip Magazine? It mentions your Trust!’
The consultant is at home – he’s logged on to his email using his work laptop – he is alarmed that the secret might be out... and clicks on the PDF. The computer is infected. Then he forwards the email to the PR manager with a message – ‘Oh no! Did someone talk to an Aussie relative!?’
The PR manager opens it too.
The hackers are in the system. They find out who the star is. Sell the story. They scrape names and medical records from the Trust’s database. A rich source of potential victims, many elderly, all vulnerable.
The press has a field day. The Trust suffers a lack of, well, trust. Data protection laws are broken. It’s a GDPRnightmare. The PR manager says, with uncharacteristic understatement, ‘I think this is going to hurt.’
The consultant is sacked. He made basic errors and didn’t follow the Trust’s protocols. He was whaled, which meant he turned out to be the source of the breach, not the clinical staff he said loved to gossip.
Nick and Jerome are running a webinar: “Stories form us, motivate us and change us: why storytelling needs to be a critical part of your cyber-defences” on Thursday 20 June 2019 between 1pm and 2pm (UK time). You can register here.
Don’t become a whale! Read our CEO cyber thriller 'Whaling for Beginners’.
Find out how our GCHQ certified RESILIA® Frontline cyber security awareness training can increase your cyber resilience. Contact us via https://www.axelos.com/resilia-frontline
Latest News from
High-velocity IT – a way for the digitally-enabled organization18/02/2020 15:20:00
Blog posted by: Mark Smalley, 18 February 2020.
Holistic IT – a non-siloed approach with ITIL 411/02/2020 13:20:00
Blog posted by: Alfredo De Ninno, IT service and Project Manager, Haufe Group, 10 February 2020.
ITIL 4 Managing Professional: from the earth to the moon07/02/2020 13:20:00
Blog posted by: Bob Roark – Executive Solution Strategist, Cherwell Software, 06 February 2020.
ITIL 4 Specialist drive stakeholder value: maximizing the consumer experience04/02/2020 16:38:00
Blog posted by: Christian Nissen, IT management consultant and lead author for the ITIL 4 Drive Stakeholder Value module, 04 February 2020.
The Importance of Servant Leadership03/02/2020 12:38:00
Blog posted by: Allan Thomson, AXELOS PPM Ambassador, 31 January 2020.
ITIL 4 Managing Professional: aligning operations and strategy with DPI28/01/2020 13:20:00
Blog posted by: Leif Andersson – Change leader, coach, facilitator, IlluminEight, 28 January 2020.
Creating a common IT language – ITIL 4 Managing Professional Transition27/01/2020 15:20:00
Blog posted by: Sundeep Singh – Service Manager, Digital Technology Operations and ITIL 4 Managing Professional, Co-op Digital, 24 January 2020.