In my first article on South Korea I looked at some unique solutions to protecting citizens and businesses from the cyber threat. In this second article on South Korea I look more closely at how corporate culture relates to cyber-crime risk in South Korea, both in the context of Social Engineering attacks like phishing and how it links in to insider threats and account permissions creep. Are there lessons to be learned from how corporate culture affects our company's security?
Korean corporate culture is very different to what we encounter in the Anglo-American sphere. For a country continuously reported as being on the brink of annihilation by its northern neighbour, South Koreans, seem remarkably warm, friendly and trusting people. In part this is probably due to the low levels of physical crime in South Korea. It stands to reason that in a society with little fear of crime, there should be less reason to believe all people are not genuine and trustworthy.
Theft in particular seems less of a concern. Whilst looking for a bike to rent for the day, I can’t help notice that scooters and bikes for hire are often left on the street with the key in the ignition! When I asked for a bike lock they didn’t know if they had one and if they did, where it would be. I rented the bike for roughly $6, no deposit, no ID and no contact details. After all why would I not be trusted not to bring that bike back?
Trust, loyalty and company hierarchy
One key concept that I found interesting was the principle of Inhwa, or harmony when it comes to keeping consensus:
“They do not want to hurt the harmonious environment by giving negative answers or refusing others to cause face losing. Inhwa usually exists in unequals of rank, prestige and power. In the business world, this term requires that subordinates be loyal to their superiors and that superiors be concerned with the well-being of subordinates” (Alston, 1989)
You get a sense of this desire to maintain harmony in your everyday dealings with Koreans, and where there is no underlying disagreement, this makes it a very agreeable place to be!
This desire for harmony is combined with a corporate culture of loyalty. They are committed to their company and the boss they work for. This loyalty can be very extreme, for example recently the vice-chair of a major Korean company (Lotte) apparently committed suicide to cover up his bosses illegal activities. This type of corporate culture means perhaps that the "lessons learnt" part of the post attack process doesn’t happen as fully and transparently as it should.
The importance of corporate loyalty is perhaps unsurprisingly tied closely to a rigid and hierarchical corporate culture. Challenges to a superior’s decision, even a bad or illegal one, are infrequent. Despite legislation to the contrary, whistle-blowers in South Korea are frequently quickly released from employment.
In the context of phishing or social engineering in general there are a lot of alarm bells here. These characteristics are ones which are being exploited in the current global phishing epidemic. If there was a culture that looked even more susceptible to social engineering than in the UK, this could plausibly be it.
In Korea, an attacker purporting to be someone's senior manager would be even more unlikely to be challenged than in the UK. Employees will follow managers orders without pause or exception (pausing in Korea can indicate a lack of willingness to do something). This means a malicious email apparently from your Korean boss telling you to click a link, input your logon details or transfer $50,000 would be likely to be carried out immediately, increasing the likely success of a spear-phishing or whaling (spear-phishing of company executives) campaign. Then, after you realise your mistakes, any subordinates you have may help you cover it up or take the blame themselves!
Whilst there is little evidence of specific phishing campaigns in Korea, there have been a large number of corporate corruption scandals in Korea which have arguably been made easier by the same factors; unwillingness to appear disloyal or challenge superiors, and a desire to maintain harmony.
The principle of “Least Privilege” is a core tenet of Information security –people only need the access and permissions required to do their job, not admin rights to all departments from marketing to payroll. Least privilege is hard to maintain in any corporate culture where managers rise through the ranks, gaining increased network access role by role. Another good reason to target senior management with a spear-phishing attack!
The issue of permissions highlights the difficulties IT professionals have in pushing change up the corporate chain of command. In Korea age traditionally equals authority, but as we all know it doesn’t necessarily equal knowledge, especially when it comes to IT. This could mean that IT professionals have a harder time convincing the directors to implement change or for that matter restrict their privileges.
I got a lot of questions from followers before I left for South Korea around what their level of insider threat is. I would say in terms of malicious insiders it would be far lower than the UK. This is in part because of their level of loyalty and commitment to their employer, and because they seem to move employers with less frequency than us. The latter point is also relevant to the stealing of information by employees to bring to their next employer. It is asserted that this practice is so common in the UK and US that employees that don’t do it are in the minority. With that said whether you would hear about it if it did happen in Korea is unlikely. The only exception to this is defamation. There have been occasions in Korea of employees posting defamatory comments about fellow employees online, often to improve their chances of promotion. Defamation is a crime in Korea unlike the UK. I think that the risk of the accidental insider however is as great if not greater than the UK, especially with regard to CEO style fraud attacks, for reasons already listed. Few companies like to air their dirty laundry in public. However there are circumstances in which the stealing of information must be reported.
Essentially these observations point to potential attack vectors in company security similar to those found in the UK and elsewhere, it is important to ensure our own house in in order!
South Korea, like most of the developed world, got hit by the Wannacry ransomware. The Korean Government claimed only 9 cases were reported. How it was dealt with makes an interesting case study in incident management. The Government and media response was proactive and institutions appear to have reacted appropriately, in many cases by temporarily blocking access and patching vulnerable systems. Unlike the UK Government and law enforcement who opted for high level advice, the Korean Government gave out specific advice and guidance to citizens and businesses. Whether you see this as positive or negative I will leave up to you. Many Korean businesses put in place a blanked ban on internet access for staff, as a preemptive measure. Without knowing more about their vulnerabilities it is hard to know whether this was a proportionate response or an over-reaction.
The emergency alert infrastructure discussed in the previous article was used to warn all citizens of the Wannacry risk and what they should do. Messages were also displayed on all public Wi-Fi networks. The Government claimed the rationale behind this was to get the message out faster and with the correct advice on what to do as well as to stop any potential misinformation being handed out by the media. Some of this protection advice included which ports to block, what to do if you find a device infected and where to get various patches. They also advised putting email filters into "paranoid mode". There was also a plethora of advice put out on how to do these things for people and businesses who do not have access to a skilled IT team. It is difficult to assess whether this stopped Korea being hit harder but their proactive and consistent response should be applauded and could have helped many Koreans stay safe. It should also be noted that the nine cases reported might just have been the tip of the iceberg as, like the UK, they have issues with under-reporting of cyber crime cases.
My time in South Korea was incredibly rewarding. I learnt a great deal about their fascinating culture and their unique solutions to dealing with the cyber threat. Their Government's proactive approach to combating cyber crime was refreshing and is perhaps one of the only positive things to come out of having an aggressive northern neighbour.
What experiences do you have of innovative cyber solutions in other countries? I would love to hear about them with a view to writing a report on novel strategies on cyber security around the world- credited to you of course!