It’s Cyber Security Awareness Month, and the security advice is flowing out from all corners of the web to advise your users on remaining secure. However, all this information can be overwhelming for some, so the question is, can advice be simplified into a few, or even one pearl of wisdom for your users? I think it can.
Check out this video explaining what I consider to be the ultimate cyber security awareness tip:
It’s important to understand how most attacks are formulated and executed. When we look at social engineering attacks, they pull on emotions. When your users receive a phishing email, it’s never a polite, chilled out email that asks you to reply whenever you get a chance. No, it’s something designed to instill fear, convey a sense of urgency or maybe appeal to curiosity or greed.
The old tailgating trick of tricking your users into holding doors open for them because they are holding two cups of coffee rely on appealing to the empathy we feel towards others. Ultimately, cybercriminals are relying on manipulating the inherent humanity within us. So, the answer is therefore simple. Show less empathy, care less about others, don’t make other people's issues your concern… in other words, just be rude.
Now, I’m not talking about your users throwing their phone at a personal assistant because they bought them coffee with the wrong kind of milk in it. I mean following processes without letting emotions get in the way. So, let’s consider the following scenarios:
- You’re entering your workplace and a “colleague” is behind you. Let’s say it’s a pregnant female holding two bags, she’s flustered, and struggling to find her pass. The nice thing for us to do would be to hold the door open, I mean, what kind of monster wouldn’t hold the door open?
- Someone senior in the company emails you frantically asking for help and they need you to authorise a payment to a new partner to close a deal worth millions. Of course the nice thing is to be a team player and help them out. We’re all team players, after all.
- You receive a serious call from IT that your computer has some issue that needs to be immediately resolved. They ask you to download software, or worse still, hand over your password. You wouldn’t want to be the cause for the whole network going down, would you?
I’m sure you see the problem here in these somewhat simplified examples. If you and your users follow your instincts and were a nice person, you would potentially fall victim to a social engineering attack. But on the other hand, if you went full grumpy old man rude, akin to Clint Eastwood, you’d be slamming doors in the faces of people, deleting important emails, or causing your organization's network to shut down.
So clearly, the answer lies somewhere between being sweet as apple pie and rude as Clint.
This is what I like to call the “gangsta gran zone”. It’s like your gran, a sweet lady, full of love and empathy, but one who doesn’t suffer fools.
So the advice is simple -- be as rude as you need to be. If we revisit our scenarios, and you reach the door with your colleague struggling to come in, stop and be supportive and kind, as if they are genuine. But don’t give them a free pass. Offer them a seat, a glass of water, carry their bags. Escort them to security, or wait for them to find their pass. There are many options you can explore without letting them enter, or leaving them to fend for themselves.
If it wasn’t already obvious, the examples listed are meant to be tongue in cheek but it's important to remember cybercriminals are not nice, and they will stop at nothing to get what they want. If your users asks you something on the phone or over email, refer them to the policy. Follow correct procedure and safeguard your own actions and the organisation overall. It’s not that you want to be awkward, or deliberately rude, but you need to find that balance so it’s less likely that someone will be able to take advantage of your kindness and willingness to help. Stay gangsta, gran!
