18 Sep Some Good News from Tesla: the benefits of investing in security awareness training
On the 3rd August 2020, Egor Igorevich Kriuchkov, a 27-year-old Russian national, met with an old acquaintance at a bar in Reno. This wasn’t the first time the pair had seen each other. They had met before in 2016 but only had gotten back in touch a month previously. During the meeting at the bar in Reno, Kriuchkov made an offer that would be difficult to refuse: $500,000 to install malware on his employer’s network.
The employee worked at the Gigafactory, Tesla’s manufacturing facility located just outside of Reno, in Sparks, Nevada. Instead of giving in to the prospect of getting his hands on that substantial amount of money, he immediately alerted Tesla about the conspiracy, who then contacted the FBI. A sting operation was launched with the help of Tesla and the employee resulting in Kriuchkov being arrested weeks later in Los Angeles, as he attempted to flee the U.S.
CEO Elon Musk could proudly announce Tesla’s success in thwarting the attack and defeating the cybercriminals. Such good news could only add to the shine on the ‘technology invincibility’ halo around his brand.
Information Security specialists might have a slightly different perspective if they have long memories (in our experience, they really do!). In 2015, Tesla’s DNS settings (important database entries which ensure traffic is directed to servers you control and not servers which are controlled by hackers, for example), were changed by hackers – using social engineering techniques, leading to hijacks of their website and Twitter accounts.
They probably also remember that a Chinese security company was able to remote control driving systems on a Model S, including slamming the brakes on from 12 miles away, back in 2016 (they could open the trunk and make the car change lanes too). A security company that won a competition to hack a Model 3 in 2019 in an event sponsored by Tesla itself. And just to show that it is not only their cars which have been vulnerable to attacks but their global supercharger network was hacked in 2017 by a customer who told them right away what he found he could do. A close escape maybe.
Unquestionably, Tesla has proven to be a high profile target, signifying big kudos to the hackers or security researchers that break-in. But this wasn’t Kruichkov’s motivation. He was part of a hacking group, after a big bucks ransom. The FBI recordings of his conversations had him boasting that they’d already taken $4M from another company recently and were looking to do better with Tesla. They would upload Ransomware code on to Tesla’s computers that would encrypt their data and stop them from being able to function – unless a large ransom was paid out.
Ransomware is a proven technique for criminals. In 2019 it was estimated to have cost $449 million per year for UK companies and an estimated $170 billion cost worldwide when all downtime, clean-up costs and actual ransom payments were taken into account. (We’d offer a side comment that such estimates are notoriously difficult to substantiate, so we’d be happy if you just concluded “that’s a big number” rather than taking any figure too seriously).
Research shows that employees can often have flexible ethical standards and that “doing the right thing” is often subject to what can be gained or the likelihood of being caught.
Had it not been for the rapid response from the employee who alerted the company, Tesla could have fallen victim to a multimillion-dollar security attack. Research shows that employees can often have flexible ethical standards and that “doing the right thing” is often subject to what can be gained or the likelihood of being caught. PWC’s Annual Global Economic Crime and Fraud survey always makes eye-opening reading at peoples’ opportunism.
In the first instance then, our hero is the employee who was approached by the Russian hacker. She or he did the right thing, acting with integrity. They recognised the severity of the attack, they were able to see the significance to the wider organisation, they knew how to report the incident. Was this good luck on Tesla’s part, or was it a planned outcome?
Training staff how to respond in the event of an attack is a must. It is precisely the same reason why airline pilots spend time in flight simulators; it is not so they can learn to fly. It is so they can rehearse failing-to-crash.
As we’ve already demonstrated, Tesla have had many security incidents in the past. It is a familiar risk and once that they had prepared for. We know that they have staff to:
- strategically plan, implement and track security awareness and outreach initiatives
- design, implement and deliver high-quality training and workshops customized to the training audience
- continually assess the organisation’s training needs and provide innovative solutions
Our second hero in this story is the Tesla executive who had the foresight to put budget, resources and priorities into training staff to understand security threats and how to respond to them. Training staff how to respond in the event of an attack is a must. It is precisely the same reason why airline pilots spend time in flight simulators; it is not so they can learn to fly. It is so they can rehearse failing to crash.
Investing in cybersecurity training and prevention involves developing a proactive strategy that understands what kinds of assets are at risk, how they are threatened and what practically can be done to reduce the likelihood of a cyber-disaster. ROI calculations are hard to do because the cost of the training is only offset against loss reductions, which are in the future. But it is very clear that a high quality, engaging and compelling security awareness program can save many organisations multiples in avoided loss.
As Gartner recently advised, having the right team to help you build such messages makes all the difference. A myth that exists in the information security community is that as long as you tell your staff something, you are always improving the situation. However, our experience says that is not true. Many compliance-oriented programs that are long-winded, patronising, dull, full of obligation but without incentive, simply put people off. Instead of having higher levels of security awareness, they become convinced the subject is irrelevant, unimportant and it gets pushed to the back of their minds.
We can draw the comparison with the effectiveness of a pilot whose regular “fail to crash” simulations become instead, a casual browse through a presentation and forgetting everything as soon as the <close> button is pressed. The danger they present is obvious. Having such people in charge of your data, your IP, your commercial negotiations, your R&D projects, your strategy, your Treasury systems is a reckless gamble.
Maybe you can be the hero for your organisation by putting in place the kind of effective security training they have at Tesla? Your colleagues might really thank you too.
Not sure you have engaging and compelling security awareness material? We can help. Get in touch here.