What would be a truly scary computer intrusion? It would have to be something potentially lethal and something we weren’t expecting. Like hackers poisoning our water supply. But the water supply is highly secured, you say? Couldn’t happen, you say? Think again. It just did.
In a US city, hackers turned up the amount of sodium hydroxide that is added to the water. Adding a little is part of normal procedures, but the hackers turned it up to dangerous levels. Fortunately, operators immediately noticed, and countermanded the order.
Like in almost all disasters and near-disasters, there is a long chain of events that have to go wrong for the problem to occur. For example, you would have to be running an unsupported old Windows 7 installation. Check. You would need to keep remote access software running all the time. Check. You would need to have a widely shared common password. Check. You would need to have no firewall software in place. Check.
If you are a CIO, share the story of this almost-disaster. Security reviews are good, and would have caught most or all of these problems. But security awareness among users is better. Reminding people of the IT policy doesn’t work. But sharing a story of how it almost went wrong might change behavior.