Social experiment: Why you shouldn't have plugged in this USB stick
Would you describe your company today with ransomware and ATPs as safe and unassailable?
As most regular readers of this blog know, 80% of our daily business focuses on security. With Avanet, we have relied on Sophos security solutions right from the start and have never regretted this decision. We enjoy helping customers who are interested in the security of their business and are also convinced of Sophos products.
For a marketing campaign in November 2016, we once chose the complete opposite of our regular customers as our target. We tried to convince CEOs of Security who had never thought about it or were convinced that the existing solution would offer security. We have also said goodbye for once to our previous marketing method, online marketing. What came out of it? Unfortunately nothing pleasant, which is why we have decided to share our experiences with you. Our marketing campaign has shown us in a frightening manner that we simply need much more information in the area of “security in the company” and that even the simplest methods could easily penetrate a company’s network. You can read the whole story here.
When we talk to potential customers and ask them discreetly about the subject of IT security, we always hear the same answer:
“We’re sufficiently protected and something like this can’t happen to us anyway. Our company is far too small and far too unimportant for a hacker.”
The fact is that it is no longer about the small hacker in the basement, who only chooses large companies as his target. Especially the story with the encryption Trojans clearly shows that everyone who has a computer, Internet and e-mail is a target. When we point out the dangers of email attachments, CEOs are confident that their employees are careful and would certainly not do anything imprudent. What can we say about that, except, “May we test this?” It is obvious that nobody wants to agree to this and so we asked ourselves the following question with regard to our new marketing campaign:
“How do you convince a potential customer of IT security who has never thought about it or feels that he is sufficiently protected?
Our marketing idea and how we implemented it
One thing was very important to us when planning our campaign. We wanted to be “the good ones” and our action should help to draw more attention to today’s dangers. In order to be as effective as possible, it also took a portion of sweat to get rid of the thought that “I’m safe and nothing can happen to me”.
So we had 100 USB sticks delivered to us, to each of which we copied an HTML file with the following content.
At this point I would like to emphasize once again that the stick really only contained a harmless HTML file. As I said, it was never our intention to harm a company. We then put the USB stick into an envelope, only with a Post-it note with the inscription:
“As discussed the project data. Greetings + Thanks”
The letter was labeled only with the address of the recipient. We have deliberately avoided the sender in order to increase people’s curiosity and the likelihood of the USB stick being plugged in.
Now I have three questions for you::
- What would you have done if such a letter had ended up in your mailbox?
- What would your employees have done?
- How many times do you think the USB stick has been inserted?
Angry people, threats and police
We were well aware that this action was quite bold. Would people understand our “good intentions” and be grateful that they got off with a black eye this time?
The answer was clearly “NO”. This turned out three days later when we called people and asked about the USB stick. I would say that out of 80 people reached, about 5 understood the action and even praised an original marketing campaign.
The rest of the people were angry, saw us as the enemy and threatened legal action. Two of our USB sticks even ended up at the police station.
65% Insertion rate
Let’s put the emotions aside and focus on the impact of our campaign. The frightening thing was that 65% of all people who could be reached by phone plugged in the USB stick in the company! If you assume that not everyone admitted to having inserted the stick after all, it would be even more on average.
This means that at least 52 people have compromised security in their company by inserting a stick without knowing who it is from and what files are on it.
Although we can understand the angry reactions of these people, we are of course of the opinion that here the own ego has no place. You should realize that in this situation you were attackable via a stupid, simple USB stick and caught with a method from 1990. In such an attack even the best firewall in the world could not have done anything, because the stick was smuggled past the security check. The human being was probably the greatest danger here in the end, because without him the USB stick would never have got into the network. To train the employees sufficiently and to point out such dangers is an important part of your IT security.
Our marketing campaign has shown that an endpoint protection must be installed on every client in a company. Only good endpoint protection that acts by behavior and does not rely on signatures is the norm these days. Anyone looking for such a product at Sophos will sooner or later end up at Sophos Central. We always recommend the dream team Sophos Central Endpoint + Intercept X as basic setup.
Anyone interested in Sophos Central should definitely contact us about our new Sophos Central subscription. We now also offer the possibility of monthly billing according to the “pay-as-you-go” principle.
Even though we did not win any new customers through this campaign, in our opinion it was not completely in vain. We are convinced that this action will make some people act more cautiously and hesitate next time before they insert a USB stick into their computer.