Social Experiment: Why You Should Not Have Plugged In This USB Stick
Would you describe your company as secure and invulnerable today, in an era of ransomware and APTs?
As most regular readers of this blog know, around 80% of our day‑to‑day business is focused on security. At Avanet, we have relied on Sophos security solutions from the very beginning, and we have never regretted that decision. We enjoy working with customers who take their company’s security seriously and who are equally convinced by Sophos products.
For a marketing campaign in November 2016, we deliberately targeted the exact opposite of our usual customer base. We tried to convince CEOs who had never really thought about security before, or who believed that their existing solution offered sufficient protection. We also consciously departed from our usual online marketing approach for once. The result? Unfortunately, nothing positive, which is why we decided to share our experience with you. Our campaign showed us, in a rather alarming way, that there is a serious lack of awareness around “security in the enterprise” and that, with the simplest of means, it is often trivially easy to gain access to a company network. You can now read the whole story here.
Background
When we talk informally with potential customers and discreetly ask how things look in terms of IT security, we almost always hear the same answer:
“We are sufficiently protected, and something like that simply cannot happen to us. Our company is far too small and unimportant for a hacker.”
The reality is that this is no longer about some lone hacker in a basement targeting only large corporations. The entire history of ransomware clearly shows that anyone with a computer, Internet access, and e‑mail is a potential target. When we then point out the dangers of e‑mail attachments, CEOs are invariably convinced that their staff are careful and would never do anything reckless. What more is there to say than: “May we put that to the test?” Obviously, no one wants to give consent to that, so in preparation for our new marketing campaign we asked ourselves:
“How do you convince a potential customer about IT security if they have never really considered it, or are convinced they are already sufficiently protected?”
Our marketing idea and how we implemented it
One thing was very important to us when planning this campaign: we wanted to be “the good guys”, and we wanted our campaign to help raise awareness of today’s threats. To be truly effective, we also needed to cause a bit of a cold sweat - enough to dispel the idea, “I am safe and nothing can happen to me”.
So we ordered 100 USB sticks and copied a single HTML file with the following content onto each one.
At this point, I want to emphasize again that there really was only a harmless HTML file on the stick. As mentioned, we never intended to cause any damage to any company. We then put the USB stick in an envelope, with just a Post‑it note that read:
“As discussed, the project data. Cheers,”
The envelope was addressed only with the recipient’s address. We deliberately omitted a sender to increase curiosity and the likelihood that the USB stick would be plugged in.
Now I have three questions for you:
- What would you have done if such a letter had landed in your mailbox?
- How would your staff have behaved?
- What do you think: how many times was the USB stick actually plugged in?
Angry people, threats and the police
We were fully aware that this campaign was rather bold. Would people understand our “good intentions” and be grateful that this time they had got away with just a scare?
The answer was a resounding “NO”. That became obvious three days later, when we called people and asked about the USB stick. Of around 80 people we managed to reach, I would say roughly five understood what we were trying to do and even complimented us on an original marketing campaign.
The rest were angry, saw us as the enemy, and threatened legal action. Two of our USB sticks even ended up with the police.
65% plug‑in rate
Leaving the emotions aside for a moment and focusing on the effectiveness of our campaign, the truly alarming part was that 65% of all the people we reached by phone admitted that the USB stick had been plugged in at their company. Assuming that not everyone was willing to confess that they had in fact plugged it in, the real figure is likely even higher.
In other words, at least 52 people endangered the security of their company by plugging in a USB stick without knowing who it came from or what files were on it.
Conclusion
While we can certainly understand the angry reactions, we believe this is not the time for bruised egos. You need to recognize that in this situation you were vulnerable to a silly, simple USB stick and were caught out by a technique straight out of the 1990s. In such an attack, even the best firewall in the world would be powerless, because the stick was effectively smuggled past the security perimeter. Ultimately, the human factor was the greatest risk here, because without a person, the USB stick would never have made it into the network. Properly training staff and raising awareness of such risks is a critical part of your IT security.
Our marketing campaign also demonstrated that every endpoint in a company needs an endpoint protection solution. In today’s world, only strong endpoint protection that uses behavioral analysis rather than signature‑based detection is truly adequate. Anyone looking for such a product at Sophos will sooner or later end up at Sophos Central. As a baseline, we always recommend the dream team of Sophos Central Endpoint + Intercept X. If you want to follow our recommendation, you can simply purchase Sophos Central Intercept X Advanced, which includes both products.
Even though we did not win any new business through this campaign, it was still not a complete waste of effort from our perspective. We are convinced that, as a result of this exercise, a few people will act more cautiously next time and think twice before plugging a USB stick into their computer.
