Your phone dings at you at 6 am. It’s too early, you ignore it. Then it dings at 6:05. And again at 6:08, 6:10, 6:15. You begin to suspect something might be amiss so you wipe the sleep out of your eyes and fumble for the phone.
“EMERGENCY! We’ve been hacked! Someone is sending out an email virus as us! Can you take a look?”
“Our clients are getting hacked now because they clicked the link!!!!!!”
“Can you call me??????”
The first thought that goes through your mind is that they aren’t being hacked, that they’re experiencing backscatter. That’s usually the case. Especially when you’ve recently had “the password talk” with the client. You see, about 3 months previous to this, one of the owners had been on vacation and someone stole their email password.
First I changed the password, then I had the talk. Complexity, VPN, MFA, different passwords for different services, never use a public computer…the usual stuff. But they didn’t understand why I was being so demanding and, well, they didn’t want to give up control of their own computer and data systems. Also, they had signed a hold-harmless agreement, indicating that they understood the ramifications of their decision.
And then they went on vacation again. And used a public computer again. And, well, then I got hysterical text messages at 6am. I padded down to my office and did a remote session with the office manager. The hacked account was a shared account so it could be a few different people who let the password out in the wild. I looked through the sent mail folder but nothing was in there. Yet, I knew email was being sent because I received one myself and because they were getting responses from others who clicked the link. Where were the sent messages though? I needed coffee desperately if I was going to figure this out. Turns out, the email in the exposed account was sent and then, via a rule, automatically moved to the trash. Thankfully, they had not set the trash to auto-empty.
I changed the password, removed the rule, and set about finding out where this hacker was. M365 provided the ability to immediately sign the account out of all devices. Combined with the password change and we were safe – at least for a while. Then we looked at the logs. The hacker was located in the vicinity of where the boss vacationed. Coincidence?
Security and Technophobia
So why, when faced with repeated password stealing, was I getting pushback when I suggested that MFA was critical to their security? Because it was a pain. Because they didn’t want to have to use an authentication app. Because they loved having a single password they could remember. Because because because…the list went on.
But this time, threatened with legal action from customers who succumbed to the phishing, I could see tiny tiny tiny cracks in the walls. One of the owners was gung-ho “Protect Us!” but the other (the offender) was still hesitant. Interestingly, the one who was pro-MFA was more technically adept than the hacked user, who was technically-challenged. The relationship between technical security and a user’s technical confidence/fear would make for an interesting study.
This was an opportunity for me to get them on-board. Usually, my role was as the business partner, the advisor. I would make recommendations and give clients a menu of items to pick from. I could skew most of those in a way that they would make the right decision, but when it came to things like 2FA/MFA, things that were inconvenient, clients too often dug in their heels. But now, with their livelihood at stake, instead of being the partner or the advisor, I went into parent-mode. I didn’t advise, I didn’t recommend – I commanded. No, that’s too harsh, I stood my ground and – kindly and with humor – insisted that they do the right thing.
Using Fear, Uncertainty, and Doubt (FUD)
I hate to do it, but I used as much FUD as I could find. I didn’t want to blame the user (read: I didn’t want to lose the client) for their predicament so I couched that in “it’s a big bad terrible world” and “you can’t trust anyone” and “you don’t want to get sued for being careless with others’ privacy.” Once I got the buy-in, I had to make this as easy as possible for the nervous ones in the company.
This is where documentation and templates come in handy. The first item is to prepare folks for the change. They don’t want technical details, they want step by step instructions. And they want hand-holding. So we crafted an email to send them. We considered writing a Word doc, but couldn’t count on them opening it to read. So we put it directly in an email.
Communication is Key
We told them that we were going to make their email more secure, that there had been some breaches and we didn’t want to see the company risking their reputation. We told them that they would have to create new passwords for their email accounts, that they would have to be complex, and that they would have to download an authentication app to their phones (we did not use any acronyms like MFA or TOTP – we only used common, non-technical words). We did have to explain what the authentication app does and why they should make sure to NOT delete it (raise your hand if you’ve tossed your <insert Auth app name here>, forgetting that you needed it for Facebook). We closed by telling them when we planned to flip the switch and that we would be available either in the office or on Zoom during those hours. If I was creative with video, I probably would have done a video instruction on this. That would have been a fantastic tool to give them before the switchover.
Of course, we received zero questions before the change.
Of course, we received more than a few panicked calls after we flipped the switch.
Obviously, we received a couple of calls from people who were completely confused. We patiently walked them through the process and then had them do a password change so they could see the entire process again.
I treated each and every call with patience and care…white glove treatment the whole way. I assured them that, while painful at the moment, they would assimilate the information within a week and it would become second nature to them. Even the technophobes had to admit that it wasn’t as bad as they envisioned.
Doing the Right Thing for the Right Reasons
I suppose the takeaway here is that it’s not always easy for the client to do the right thing. It often takes a crisis to get them to hear what you’ve been advocating for. It is our job as partners and providers to guide them along in the process. It’s important to make them feel like they’re making the decision, even when we are making it for them. It’s valuable to give them choices, so long as the choices you give them fall within the spectrum of the security goal you have in mind for them. And always always always treat their company as if it were your company, that you wouldn’t let anything bad happen to them.
Let’s discuss getting a client’s buy-in on #CyberSecurity over at the JumpCloud Lounge #admin-life channel!