There are many great things I can say about my time at KnowBe4. Colleagues are fun, approachable, witty, and have a phrase for most eventualities. The phrase that goes around in my mind the most whenever I receive an unexpected email is, “When in doubt, PAB it out.”
The Phish Alert Button (PAB), is an add-in for your mail client that allows you to quickly and easily report suspicious emails. So, any time I receive an email that could potentially be fraudulent, I hit the PAB button. It then disappears from my inbox and goes over to our well-trained security team that conducts a quick forensic investigation and either thanks me for my ability to spot a malicious email, or returns it back into my inbox, giving it the all clear.
The PAB makes me feel part of the security team, but without the responsibility. It’s a win-win. But I do vividly remember receiving my first phishing email and being fairly convinced that it was indeed a phishing email. And I hovered over the PAB for a long time, not sure if I should click it.
I mean, what if I was wrong and it was a benign email, and I would have wasted the time of my security colleagues? Even worse, how could I, Mr CISSP, of all people be so ignorant as to accidentally mark a legitimate email as a phish?
But then I was told the story of a girl named Tilly Smith. At 10 years old, Tilly was on holiday with her family at a gorgeous place named Mai Khao Beach. One day, when walking along the beach, Tilly noticed the tide had gone out far. A lot further than it should have, and the water had turned frothy.
A few months earlier in geography class, her teacher showed the class footage of Hawaii in 1946. It was the only film anyone had seen of a tsunami. Tilly became hysterical, convinced they were about to experience a tsunami. A word that meant very little to her parents or any of the lifeguards on the beach. She began to yell and cry, trying to convince her parents that they were in grave danger. Her dad had to make the choice of either listening to his daughter who was spouting stuff he had never heard of, or take her back to the hotel until she calmed down.
He decided he had to take a chance. If nothing happened, then he would be embarrassed, and probably would have to buy everyone drinks for the rest of the week. But if a tsunami did hit, and he had said nothing, the regret would be too much to bear. So, he told the security guards, the lifeguards and anyone who would listen. Eventually, the beach was cleared and everyone went back to the hotel and climbed to the third floor.
It wasn’t long before the first of three giant waves struck not just their beach, but beaches all over South East Asia. It was the Boxing Day tsunami of 2004. By the end of the day, the tsunami would have killed a quarter of a million people on beaches in 13 different countries, with the exception of Mai Khao Beach in Thailand. All because a 10-year-old girl was not willing to let embarrassment silence her.
I think about Tilly nearly every time I hit the PAB button.
If you’re an employee and you see anything suspicious, raise it with your security team, even if you don’t have a PAB button. You could prevent your organisation from becoming the next headline victim of a ransomware attack.
And if you’re in charge of security at your organisation, create a culture of openness and give the tools and mechanisms for your colleagues to reach out and voice their concerns. Save them from embarrassment and regret.