Macro security stories distract firms from real problems

We’ve all seen the headlines. Huge companies — the 800 pound gorilla of your industry brought briefly low when their breach becomes public. Some of those headlines even prompt internal discussions “Do we have this kind of data? Should we be worried?”. Most companies move on, admitting silently that they either don’t play at that level, or that the cost of implementing the right kind of solution is too high.

I used to spend my time working that way, but lately I have been thinking those are the wrong questions. Too many companies I talk to are whispering stories about impact to business that the wider world doesn’t seem to care about.

James works in HR. Most of his day is in screening calls with new applicants, or working with managers processing the giant hire packets that need to be broken up and sent to the right places when everything works out right.

James has seen it all. From shocked innocents who find out ten years after graduation that a recent audit has uncovered that their literature 100 class didn’t meet state mandates (they didn’t actually graduate). To blatant liars who have deluded them selves into thinking that their expertise at imitation and accents is the perfect recipe for a “build your own professional reference sheet”.

So when James gets a follow up email from a new executive hire wishing to correct her direct deposit form, it’s all old hat.

“Hi James, When my usual contribution to our mortgage account didn’t go through, Kevin suggested I may have forgotten to split up my direct deposit . Here’s the corrected form. Thanks in advance -Meghan”

James remembers talking to Meghan a new member of the company’s leadership team, and also remembers talking with her about her artist partner, Kevin. He pulls up her old form next to the new and sees it is much the same. Same main account same curly yet slanted signature just divert 20% to a secondary account.

As a busy executive eager to make progress in her first months on the job, it takes Meghan 6 full payrolls to realize she’s being shorted.

If a big tech company breach is the Ocean’s 11 of online crime, this story is equivalent of robing a gas station. But this type of crime is on the rise.

From Symantec’s phishing report

The phishing rate increased in January to 1 in 3,454 emails. At 1 in 238 emails, Mining topped the list of industries receiving malicious email in January. Public Administration came in at second place with 1 in 309 emails being malicious.

The most challenging aspect of this type of crime is that it didn’t do something straightforward like hijack your VPN or spread malware throughout your network. It simply took advantage of a single place where a business process relies on a human being to make important decisions about how money moves or is spent in your business.

Plenty is written about the hypothetical cost of a large breach. Maybe what we should be talking about is the very direct costs that result when money leaks from your business processes.