ISTM#40: Fighting Cybercrime with Words

 

I was already concerned about online crime in January when Russia threatened to use both nuclear and cyber weapons in the Ukraine and against the US. It was chilling then and even more chilling as I write now, as their tanks move forward. 

Until that moment, I had not considered the possibility of hacking as a weapon of mass destruction, but the evidence has been there: Homeland Security has reported on attempts to poison Florida drinking water and at least one infant died because of a 2019 ransomware hospital attack.

I cringe at thoughts of what Russian-backed hackers may have in store for the Ukrainians. I’m afraid it will significantly exceed the worst damage that I know has occurred in the US with the Colonial Pipeline attack that turned off fuel supplies in a significant portion of the US.

Hurricane Hollering

As you probably already know, hacking is no longer the purview of mischievous teenagers. It is now the turf of criminal gangs and financed by hostile governments. Not far from those tanks you may have seen rolling in Belarus, there are buildings filled with Russian financed hackers.
Many of us have known this for a while but we tend to shrug and walk away. It feels like there’s little for us to do but keep our antivirus software current and hope for the best. As for taking on organized criminals and malevolent governments, we feel like our personal efforts are as futile as hollering at a hurricane.

In the past few years, I’ve come to know a few cybersecurity officers at companies that are larger than the startups I have historically worked with. I have completed a few writing projects where the challenge has been to simplify the language of compliance regulations. They had come to me because my specialty is to simplify complex language without dumbing it down. They have encouraged me to offer my editorial services to others and assure me that even if this Ukrainian situation blows over, those Belarusian hackers will be busily assaulting other organizations in places that the Russian government doesn’t like.

The data points that way as well: 

According to TechJury, there are 1.3 million pieces of malware created annually, with 30,000 attacks to enterprises each day. Last year, 64 percent of all companies reported attacks but the consensus in the cybersecurity community is that number is significantly higher. Many companies just don’t want it known when they get attacked. Cybersecurity teams manage to catch well over 90 percent of all digital attacks, but the malware that manages to slither through firewalls and then replicate itself many times over does significant and expensive damage.

Clicks Cause Havoc

Of course, the way that the infection gets in is almost always human error. The bad actors know that most of us are curious by nature. So, they dangle phishing bait that attracts us the same way that worms entice fish. We click on promises that we “won’t believe what she did next” or we take a survey and give away personal data because we believe it when they say our opinion matters.These are old tricks that still work millions of times every day. There are others, such as scattering infected thumb drives in corporate parking lots.

When people get sucked in this way, nothing bad happens immediately. The malware lies dormant. A few hours after someone sees what she did next, that person has forgotten about the incident and goes ahead and uses their phone to check email at work. That’s when the malware innocuously slips into the enterprise IT system, which is of course connected to partner IT systems and so on.

And still nothing happens for a while. It lays dormant, just like the Covid virus does, except digital viruses may keep on spreading undetected for months before it springs alive bringing systems down.

A great number of very smart and dedicated people stand at the line, like firefighters anticipating a wildfire they cannot yet detect. They are employing the best people who use the best practices and keep hoping for even better practices to come.

Simmering Concerns

I propose that people like me become part of a better practice. While the technology of cybercrimes is being heavily invested, communicating with the people who enable these attacks has room for great improvement. So does educating people on what to do when infections are discovered.

After completing a few writing assignments that were enthusiastically received, I started realizing that enterprises could not solve their cybersecurity issues without improving communications programs. What is needed is people who speak the language that is interesting and memorable. 

Let me explain.

Corpspeak

In Naked Conversations, my 2006 book, I assailed something I called Corpspeak (Pronounced CORPSEpeek). I argued that Corpspeak was the language of bureaucrats who seem to think that a page filled with words is better than a crisp bulleted phrase. Corpspeakers would take a day to make the message “Go ahead make my day.”

Although I see a few improvements over the past 15 years, Corpspeak still abounds in the language of cybersafety and in so doing, it makes everyone less safe. For example, why should we call this topic cybersafety, which sounds technical instead of online safety, which is more easily understood? Why is it cyberattack rather than just digital attack?

I would like to help Online Safety officers purge Corpspeak from their practices. Before incidents occur, people need to know how to prevent them clearly. When incidents do occur, they need to know what to do quickly.

Customized Messages

I’ve spent some time thinking about how to customize messages and talking to a few corporate cybersafety officers and started shaping out a few ideas that illustrate what my approach might be.

Here’s a sampling:

• Breakroom Posters. Almost all large organizations have employee break or lunchrooms, and each of them features a bulletin board. I would use them to post a cartoon character offering cybersafety tips, such as “When in doubt, don’t click!” or, perhaps warning that thumb drives discovered in parking lots are malware traps. EachAlmost all large organizations have employee break or lunchrooms, and each of them features a bulletin board. I would use them to post a cartoon character offering cybersafety tips, such as “When in doubt, don’t click!” or, perhaps warning that thumb drives discovered in parking lots are malware traps. Each would be designed to alert workers against phishing traps such as marketing surveys that pop up or arrive by email from unknown source. would be designed to alert workers against phishing traps such as marketing surveys that pop up or arrive by email from unknown source.

• Video Blog. I love using humor and entertainment to make serious points. I envision a blog directed at mid level and junior employees. It would be camp, featuring a character blatantly based on the Superman character. Each episode he (or she) would rescue some employee from doing something that could cause infection.

The intended outcome is to not just teach a lesson but to make it memorable. It also takes the officious tone of legal and compliance documents and humanizes them. It implies more of a collaboration between message deliverers, and management directives.

Other projects would be developed on a more serious level and be delivered in businesslike tones.

A few examples:

• Management Updates. I would collaborate with cybersafety officers to produce monthly newsletters for middle managers. They would include case studies of what happened in their company or elsewhere in the previous month and talk about how they could have been either prevented or resolved faster. The underlying current is to make managers feel that they are collaborating with the cybersecurity team.

• White Papers. The term itself has changed from something academic to marketing papers. I propose white papers that are structured in the former way. They would examine challenging cybersecurity problems and analyze alternative approaches to a solution and end by proposing specific solutions. Three that I have in mind:

⒈ Biological and Digital Viruses. This paper would argue that both types of viruses behave almost identically and the best way to understand, contain, and defeat one is very similar to how we would defeat the other.

⒉ Translating Corpspeak. Every enterprise is saddled by compliance Standards and Protocols written in flourishing Corpspeak that would cure insomnia for most readers. I understand that Partner terms and laws—particularly in Europe—require they be presented verbatim to employees. But there seems to me no reason that you cannot prefix each Standard and Protocol with an executive summary that briefly explains the key point and what employees are required to do to comply.

⒊ Index of Terms. It seems to me that online security has introduced a whole new classification of Corpspeak jargon. I would create an Index of Terms that allows all employees to simply look up any words and terms that they may not understand. It would be a living document where words would be added as needed, and if a term becomes generally recognized it could be removed from the Index.

I have other ideas, but I think this should give you an overview of the sort of things I could do to help your organization. You may also have your own ideas or face unique challenges that I could help you with. Our next step could be to start a conversation. If that is the case, please use the email in the paragraph below.

+++++

Shel Israel writes books, speeches, byline articles and white papers for tech business executives. ItSeemstoMe (ISTM) is his personal blog. Email him at shel@shelisrael.com to subscribe. Just say “subscribe” in the subject line. To unsubscribe, just hit Reply and write STOP! In the subject line.