Security Culture Matters Now More Than Ever
10–30–2023 (Wednesday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, October 30, 2023, and with Halloween right around the corner, it’s fitting that we talk about a potentially spooky topic this week - violent ransomware gangs.
What Does Security Culture Really Mean?
Microsoft’s Threat Intelligence team put out a blog post this week called “Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction.” In case you missed it, Microsoft has rolled out a new naming methodology for threat actors that combines a color and a weather phenomenon - but I couldn’t tell you what “color” Octo is.
They’re talking about a group also known as UNC3944, or Scattered Spider - the group who uses social engineering to penetrate organizations like Okta (whom we talked about last week), and supposedly the recent MGM and Caesar’s hacks.
While the article actually has some great detail on the group’s tradecraft, it features two screenshots of text messages they sent to admins of their target groups with a range of threats, including sending someone to shoot their house, kick their door in, or shoot their spouse.
I want to talk about this for a couple of particular reasons.
First, it represents, to me, a significant escalation in tactics from the threat actors, who continue to use fear, shame, and aggressive coercion techniques to manipulate their human victims. This comes, of course, as we faced another weekend of mass shootings in the United States, and it would be understandable that system administrators would fearful of these groups - loosely affiliated with Russian intelligence organizations that actually do carry out executions on foreign soil.
Secondly, it should re-affirm the idea that security culture is critically important to the resilience of our organizations, and that culture in general is an underutilized tool.
So - what can we do about this as leaders? I think there are a few things.
First, we need to remove any notion of additional fear or punishment that employees (front line or technical) might have in reporting when something is wrong, even if it’s their own mistake.
Threat actors use this time - post-action and pre-reporting - to establish persistence, move laterally, and ultimately encrypt and/or exfiltrate data. We need to close this feedback loop to as little time as possible to give ourselves a fighting chance against these threats.
Furthermore, we need to find ways to cultivate input and intelligence from our front-line employees. If they’re afraid that there will be consequences - even small social consequences that feel like shame - they’re less likely to report anomalous activity.
If we see escalated tactics like threats of violence - the stakes continue to rise.
As leadership teams, we need to ensure that our employees don’t only encounter our security teams, tools, and practices when things are already going wrong or only in an annual training context such as a phishing exercise. The first time most users encounter a security function within their organization is when something’s gone wrong, and these interactions are not particularly pleasant.
We need to create opportunities for positive interactions with security teams to build relationships, familiarity, and a confidence that employees will get help - not consequences - when they reach out. This can be difficult for a host of reasons, not the least of which is that security folks have a well-earned reputation for being prickly.
But by softening the approach and building bridges before they’re needed, we can band together to defeat these criminal gangs who are leveraging base human reactions to great effect.
I often say that “cybersecurity is a team sport” - and that’s particularly true in this context. Get the team together, understand who the players are and their positions, and when the make or break play comes up, the teams that prepared together are the teams that will win. Your job as leaders - as coaches - is to put that work in ahead of time, over time, every time.
Fundraising
From a fundraising perspective, as we head in to Halloween, we’re looking at nearly $12B of newly committed capital last week, including a $3.4B raise from Alpine Investors for a continuation fund for portfolio company Apex Service Partners, a provider of HVAC, plumbing, and electrical services - a good reminder that unsexy but profitable businesses will remain compelling in these tumultuous markets.
Speaking of tumultuous markets, we also saw an article from Bloomberg noting that the US IPO Market is “teetering on edge” after a couple of disappointing offerings. The article notes:
“Those lackluster showings have played out against the backdrop of a broader market decline and continuing high interest rates, as well as the tumult in Washington, where the threat of a federal government shutdown as soon as next month could re-surface. Geopolitical concerns, including the continuing war in Ukraine and a possible widening of the Israel-Hamas conflict, could further roil markets and jam the IPO pipeline into next year.”
If nothing else, a good reminder that we are not operating in a vacuum here.
You can find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links