What can the NYPD teach you about security?

[harlan4096]

At RSA Conference 2020, the former director of Cyber Intelligence and Investigations for the NYPD talked about how the police have raised cybersecurity awareness.

While I was looking over sessions at RSA Conference 2020, a talk called Tackling cyber-enabled crime at scale: Moving enforcement forward caught my eye. As someone who is quite addicted to Law & Order and is also into cybersecurity, I thought it sounded like a real-world version of a bad hacker TV show, but at the New York City Police Department (NYPD).

The speaker, Nick Selby, had a great story to tell. You see, New York City has a big problem with cybercrime — a nine-figure problem. It seemed everyone from digital natives to baby boomers had fallen victim to cybercriminals, from phone scammers to ransomware, a Nigerian uncle needing a money transfer, and more.

Most times, it is the NYPD that victims call. However, any time the officers responding to a call heard tech words such as Bitcoin, their first response was something like “not my monkeys,” because, well, it was cyber. In police officers’ and detectives’ mental maps, cyber was what some other agencies dealt with. They used to advise victims to call FBI, and that was that.

For a city the size of New York City, that was a problem. Selby knew it, as did his superiors at the NYPD, who tasked Selby with helping change the culture and train officers to care about cybersecurity.

The whole presentation captivated me and discussed all of the cool things that the team did in terms of stopping cybercrime and helping get people their hard-earned money back. The story isn’t mine to retell here, but I strongly suggest watching the full talk below.

However, the thing that I couldn’t get past in the presentation was this notion: Selby had to help change this culture and train officers to care about cybersecurity.

Anyone who has led security training has probably gotten snarky questions or comments like:

I work in finance, why should I care?
I work at the front desk, why should I care?
I am on the service desk, c’mon man, I know security!

And my favorite overheard-in-the-office whine:

Ugh, security training, AGAIN?

Now, we’ve all been there and had to do something that we didn’t feel was necessary to our jobs. The problem though, is that cybersecurity touches everything. Seriously. Here are just a few from the average workplace:

* Finance — they manage the money. How many scams have we discussed involving money being sent to the wrong account?

* Reception — the first face you see, the person who lets everyone into the building. Receptionists also usually hand out guest Wi-Fi credentials. Consider the reception desk’s role in protecting companies from people like those crooks who connected malicious hardware to corporate networks?

* Service desk — they fix computers and administer devices. Who can give you a USB stick should you need to move a PowerPoint between two computers? Without IT, people might resort to hunting for abandoned drives around the office.

Do you see my point? All employees are technically attack vectors, but they are typically not thinking along the lines I mentioned above.
...

Continue Reading