What if the Santa’s Elves knew better?



Untitled-1-3By Joanna Huisman, KnowBe4's new SVP Strategic Insights & Research.  It’s that time of the year again when children all over the world take pause to try and figure out which side of Santa’s list they will end up on…Naughty or Nice! I posed this question to my teenage sons the other day and although I am told they are “too old” to believe in Santa, they did stop for a moment to reflect on the year and determine if the amount of mischief they caused warranted that dreaded bag of coal.

You see, even though their age may automatically eliminate them from buying into the whole sleigh and reindeer stuff, their childish wonder still draws their eyes to the sky on Christmas Eve and leads them to write wish lists that compare in length to the Great Wall of China. I also lob the threat that those who do not “believe” in our home do not “receive”, that generally helps to get them into the holiday spirit.

My 14-year-old then posed an interesting question, he said, “Mom, what if Santa was hacked and all of the kids on the Naughty list found themselves on the Nice list and all of the Nice kids found themselves on the Naughty?” I wondered for a moment if this was wishful thinking on his part, but then thought, “Yeah, what if?”

Knowing that the creative minds behind our award winning security awareness training series “The Inside Man” had to have tackled this topic, I started my search and found this great video Santa Gets Hacked! produced by Twist & Shout, and featuring our own Javvad Malik. I laughed at the sheer terror of “The List” becoming public. But then I thought, how could the Elves and the rest of the North Pole staff have been better equipped? Through, security awareness training, of course.

Elves have many jobs at the North Pole, and in return they get paid in Christmas cookies and get to live at the North Pole for free. Many spend their days making toys for the nearly 2 billion children around the world; some tend to Santa’s reindeer and sleigh, and others help Mrs. Clause bake cookies. One of the highest staffed and coveted jobs at the North Pole is in the mailroom sorting through all of the children’s letters and — as of late — emails. With the volume as high as it is, mistakes can happen. Santa’s CISO needs to implement a comprehensive, continuous security awareness approach which is founded on a combination of security awareness content and frequent simulated phishing campaigns.

Cyber criminals rely on phishing because it works, and it works well. When your organization is compromised, it’s because the attacker did their homework. They took the time to understand the attack surface and what your humans (or in this case Elves) were vulnerable to and then they crafted the best attack to access your organization. You may have invested in the best technology…firewalls, intrusion prevention/detection systems, and all of the tech related things that are considered first…but if you are forgetting about strengthening your human layer of security, that now becomes your organization’s biggest vulnerability.

Think of it this way, it’s close to lunch time and Jingle, one of the Elves, is distracted by the smell of freshly baked cookies lofting through the air from Mrs. Clause’s kitchen. Jingle is reading an email sent by young Travis from South Carolina (or so he thinks) where his big ask is an electric scooter. Travis was also so kind as to provide a link to the exact scooter he wants. Jingle, distracted by his hunger pains, clicks on the link which contains malicious code. Jingle, we are now off to the races! Cyber criminals understand that attention spans are fragmented and that by being persistent, over time, they will be successful.

If only Jingle had the right security awareness training coupled with the necessary frequent simulated phishing campaigns, Jingle’s reaction would be to stop and think rather than to fall into Travis’ trap.

Interested in what happens after the hack? Check out Twist & Shout’s Santa Gets Hacked 2: The Aftermath!


Topics: Phishing

Subscribe To Our Blog


Domain Spoof Test Contest




Get the latest about social engineering

Subscribe to CyberheistNews