I recently read a story about a South Korean telecom company that pushed out malware to over 600,000 of its customers who were using torrents to share files, in a bid to limit their file-sharing capabilities.
Users reported that their files went missing, random folders appeared, and in some cases, their PCs were disabled.
Honestly speaking, when I first read the story, I chuckled a bit and referred to it as "next-gen, host-based throttling", which had all the benefits of killing the service that was putting a load on the network while maintaining all other services.
However, upon digging a bit deeper into the story, it appears that KT, the South Korean telco, didn't just randomly push a small bit of code down to their users. An investigation has reported an entire team at KT dedicated to detecting and interfering with file transfers, with some workers assigned to malware development, others to distribution and operation, and wiretapping.
A setup like this goes way beyond mere throttling of a service; it's one step away from a full-blown criminal enterprise. The key here is installing any kind of software on a user's machine without their knowledge or consent.
More importantly, a setup like this isn't something that happens in isolation; this isn't a case of a couple of rogue insiders, it's a concerted effort by the organisation with executives either being active participants or willingly turning a blind eye to the activities.
This showcases a poor security culture across an organisation, where the development and distribution of malware is considered an acceptable way to manage bandwidth challenges. While the intent may have been good, the execution of the idea was terrible and opened the organisation up to legal challenges.
That's why fostering a strong security culture isn't something that happens overnight, and neither does it happen in isolation. It is a conscious and sustained effort. As John Childress says in his book Culture Rules - "you get the culture you ignore."
Imagine seeing an athlete: lean, strong, full of energy, and with endless stamina. You wouldn't assume that becoming an athlete was an accidental thing that just happened. You'd know that it took dedication, discipline, and many, many hours of repetition to get where they are.
The same applies to culture. Unless you work on it, your organisation will end up unfit and spreading malware like it's business as usual.
Here's how it works:
