FBI Says Companies Ignore Their Warnings

I have said, in the past, how come the government doesn’t warn companies when they have intel that the companies are targets of hackers?

Well, we did get one data point on that after the DNC hack last year, but now we have more data points.

As a reminder about what happened last year, the FBI, on multiple occasions, called the DNC to tell them they had been hacked.  In that case, we only had one data point – what the DNC did – so that is of some, but limited use.

In the DNC case, the FBI apparently called some number like the help desk and the people who they talked to thought it was a prank.  And ignored them.  Multiple times.

In that case, I blame both the DNC and the FBI.

I blame the FBI because their office was about a mile from the DNC HQ and if they were at all motivated, they could have taken a lunchtime stroll over to the DNC offices, whipped out their bright, shiny, tin badge (or whatever their badges are made out of) and asked to talk to the HMIF (the head dude/dudess in charge).

I blame the DNC for not training their people correctly.  It is not the job of a low level IT person to make that decision.  Their job is to forward that information up the food chain TO THE TOP as quickly as possible.

Now we have Donald Freese, a 20+ year veteran of the FBI and the former director of the National Cyber Investigative Joint Task Force, speaking at a conference.

Mr. Freese says that over a third of the businesses that the FBI reaches out to in order to tell them that they are being targeted or hacked ignore the warning.

Said differently, less that 70% of the people whom the FBI warns actually take some action about the warnings.

Freese says that even when the FBI issues a “targeted identity notification”, within a few days to a week, the FBI sees hacker attack beacons coming out of the company that they notified, meaning that the target’s network has been successfully compromised.

Before I go on, try this tomorrow.

When you get into the office, ask the receptionist what he or she would do if he or she got a phone call or email claiming to be from the FBI saying that they had information indicating that your company’s network was likely to be attacked soon.

I suspect that, at most companies, the answer that you will get is not the answer that you want.

In my not-so-humble opinion, that person should take down the information and forward it to the CEO.  Hand carrying it and placing it in his or her hand is best.  While it is true that the call might be a hoax, that will be easy for the CEO to figure out.

AND, as a point to remember, if you do not already have a relationship with the folks in your local FBI office – if you cannot pick up the phone and say “Hi Sam, this is Mitch and I just got a call purported to be from you – can you validate this for me” and that FBI agent doesn’t know who the hell you are, then you need to fix that right now.

Mr. Freese didn’t pull any punches about why 30%-40% of companies ignored the warning and none of those reasons are pretty.  His top reasons, I suspect in no particular order —–

  • Disbelief – OK, I can get that.  Not a reason for inaction, but, OK.
  • Hubris – Enough said
  • Interference by in house counsel – Wait, I thought they were on your side?
  • Fear of the C-Suite – that’s not good.  We are going to risk the company going down the tubes because we think the CEO will get mad
  • Incompetence

While I have no clue whether your company would fall into the one-third plus that would do nothing or the two-thirds that would do something, I will leave everyone with this question:

If your receptionist got that call or email tomorrow, would your company EFFECTIVELY deal with the call or email and would you be able to RAPIDLY deploy a trained, skilled and impactful cyber incident response team?

If the answer is no, now is the time to fix that problem.

Information for this post came from SC Magazine.

Leave a Reply

Your email address will not be published.