It’s never easy for IT managers to convince finance colleagues to sign off on new spending plans. With this in mind, security services vendor NCC sought to do its clients “a favor” with a vivid demonstration of the importance of its wares.
In January, NCC sent 500 finance chiefs of London-listed companies a cryptic invitation to “the party of a lifetime.” The only information offered, apart from the date of the purported party, was an “RSVP” etched onto a memory stick.
Deviously, NCC also slipped a bit of code onto the sticks that triggered security software, forcing users to choose whether to allow the program to run. A whopping 47 percent of recipients clicked “yes.” The program was benign and only notified a server back at NCC of which CFOs were duped. “But they did everything necessary to cause a fairly serious infection of their networks,” says Paul Vlissidis, NCC’s chief hacker. “In my experience, security awareness is inversely proportional to seniority,” Vlissidis adds. Explaining, perhaps, why so many finance execs fell for the phony invitation.
With hackers increasingly customizing one-off attacks on specific companies, traditional anti-virus software no longer provides enough security. Check out Scandinavian bank Nordea, which recently was hit for SKr8 million ($1.15 million) by cyber-criminals, causing a much larger dent to the bank’s reputation in the process.
Sportingly, NCC kept its stunt secret from its own directors, including them on the sham party’s invitation list. Chairman Paul Mitchell fell for it, Vlissidis admits, though finance director Paul Edwards showed more sense. “He threw it in the bin, which is exactly the right thing to do.”