Fox and the Hens: A Cybersecurity Story
You, the farmer, have a lovely den of hens, providing you with a daily supply of fresh eggs. It wasn’t long before the clever fox took notice.
First, the fox jumped over the fence and made off with a few eggs.
So, you built a taller fence.
Next, the fox burrowed under the fence and made off with a few more eggs.
So, you drove spikes in the ground.
Then, the fox hid in the delivery truck as it returned from its rounds. Having spent the whole night in your farm, he ate one whole chicken.
This time, you brought home a guard dog. Let’s see you try now, sly fox!
Frustrated and hungry, the fox spoke to his fox friends. How do you guys get into your farmer’s chicken coop? Another fox replied, “That’s easy. Scam the hens.”
So how does this little fable relate to cybersecurity? The farmer, as you might have guessed, is you, the business owner. The fox, naturally, is the hacker. The point of the story is to illustrate the progression of how the hacker’s approach has evolved.
The fence in the story is traditional cybersecurity technology like antivirus and firewalls. The theory was that if you build a fence tall enough, you’d keep hackers out of your network.
Undeterred, the hackers moved on to exploiting vulnerabilities in your network, like unpatched servers and workstations exposed to the Internet for remote access (unlocked delivery truck).
When you finally hire an IT professional to plug those holes (guard dog), the story takes a dark turn: The fox turns to your hens with tricks, lies, and bribery.
Phishing, as it is called, is the predominant technique by which hackers infiltrate your network. Phishing is no more than an email filled with tricks, lies, and bribes to get your employees to give up their password, running a malicious code, or wiring money to the hacker!
So what’s the best defense against phishing? User education.
There are many phishing tests out there that send periodic test emails to see who clicks on them. The aim of the test is not to single out or shame anyone. The results should be kept private and anyone failing should be offered training materials that will help spot scams in the future.
Of the solutions I’ve tried, KnowBe4 (https://www.knowbe4.com) does the best job at automating the entire process. It can also generate reports on who might be failing repeatedly or refusing to take the training. When I previously recommended KnowBe4 pre-COVID, I didn’t get much interest from the clients because anything costing extra was seen as unnecessary. But with much of the workforce shifting remote and cybercrime becoming rampant, we’re seeing clients ask for it and I think that’s a good thing.
We’ll all be safer when the hens can alert the guard dog that there is a fox in the chicken coop.
Speaking of other post-COVID necessities, read my blog about backup internet connection.