The story of Mary

Good information security isn't just about the 1s and 0s

Man with briefcase walking with female executive
raw pixel (CC0)

Not too long ago a colleague shared with me the story of Mary. It wasn’t that surprising. I’ve heard of stories like hers for many years: smart lady, up-and-comer who had been working at a mid-size pharmaceutical company for more than a decade. She started there, fresh out of college, and had just been made the VP responsible for mergers and acquisitions.

In her new role, Mary focused her attention on identifying businesses that would help round-out her company’s product portfolio or that might help them grab bigger pieces of their market. With her growing responsibilities came a greater degree of trust and access – trust in her from the business, and access to more confidential information. What also came with her promotion – but which she wasn’t aware of – was a growing target painted on her because of that same trust and access.

Mary “got” information security. She diligently completed her company’s security awareness training and always caught the phishing emails that either slipped through their defenses, or that were pushed through as part of their training. She never left her laptop locked in her car or left on her desk when she raced home at night. She was vigilant because of the responsibilities of her job, as well as because it was in her nature.

Mary spent a lot of time on the phone speaking with her CEO, general counsel, CFO and other business leaders in her company and at those she was evaluating for purchase. “A good deal doesn’t get done on email” she was fond of telling her co-workers. And it was true. So as Mary was waiting on her delayed flight to board at Newark International Airport one day, she decided to squeeze in one more call to try and finalize the terms of a merger that was coming together between her company and a competitor.  What Mary didn’t consider, as she was singularly focused on that conversation, was that she wasn’t alone in her conversation. Sitting near her, and listening to every word she said, was a financial reporter from a well-known business website. He put two and two together pretty easily. The pending merger would not be a secret for long.

You can use your imagination to guess what happened next. Story of the pending merger, which Mary had finalized on the call that day, broke online within 24 hours. Investors and speculators climbed all over the stocks of both companies and the fallout drastically changed the financial dynamics, effectively killing the deal. In the end, Mary’s company calculated that the failed merger attempt cost them $12 million, not to mention the lost market opportunity and value that the merger would have created. No one was ever able to tie the leak directly to Mary, but since there were so few people involved in the negotiations there were assumptions made. Mary’s career stalled after that.

As I sit here in the airport writing this story down, I am surrounded by literally dozens of businesspeople deep in conversations on their phones (I particularly appreciate the businessman screaming at his lawyer for the past 20 minutes like no one else is around.) Do you really want me, or anyone else, listening in on your conversations? Just remember that information security isn’t always about 1s and 0s.

***** 

You can receive more insights into security awareness by signing up for the Security Smart Newsletter. The newsletter is an employee education program designed to help build security awareness by making security reminders and information fun, interesting, and engaging to all your employees; saving you and your organization precious time on your security awareness program. To learn more about the newsletter and the subscription options, please click here!

SUBSCRIBE! Get the best of CSO delivered to your email inbox.