If you don’t know – you better call somebody
I was struck recently with an example how security awareness affects our lives. I heard a story from a friend about a mysterious phonecall he received. My friend is working full time as a contractor for a global financial institution based in Switzerland. The person who called him introduced himself as an alleged employee of the company. This person seemed genuine as he knew names and positions of people in the company. He influenced impression of time-pressure on my colleague forcing him to share some names and preferably contact details of some other people. My friend was confused and thus cooperative. But when the person got greedy and wouldn’t stop pressing he said no. He finished the conversation by suggested contacting someone from the man’s original office. He reported the phone call to the designated security incident mailbox straight away. I think he reacted very sensibly.
Security Awareness Training
This story made me more mindful of phone calls and sharing data. I stopped answering unknown numbers by introducing myself and verified every caller. At least for some time. But recently I attended a security conference, where a spokesman from PhishMe introduced me to the whole new universe of Security Awareness Training. I am still dazzled by the information that 91% of cyber-attacks begin with spear phishing. Digging deeper, I found out that the story of my friend is not so uncommon, because his interlocutor presented alike characteristics of greediness and urgency as described by PhishMe.
A tweet from SANS institute reminded me of this subject again by presenting a new Gartner Magic Quadrant for Security Awareness Computer-Based Training (presented below).
As you can see there is a breadth of vendors in the market that are capable of helping you educate employees about information security. And I don’t mean theory. They all have ways of applying security in the real life, which makes this whole matter really scary. Humans can be either the strongest or weakest defense against threats, therefore I strongly encourage you to read more about the offerings of the mentioned companies.
Security training will provide another benefit, that I find especially important. It helps seeing security policies less as a series of rules restricting the efficient working of the business and more as a supporting factor for productivity.
From Cesar’s conquest (Caesar cipher), through WWII (a careless word, a needless sinking), Mitnick times (his associated with another mentioned vendor – KnowBe4) till today it is obvious that protecting secrets is vital for well-being of organizations. But we’re all humans: we forget, we are willing to help others in distress, we get impatient, we need to be reminded both of threats and safeguards from time to time.
Should this idea seem interesting, why not give it a try. Please contact us for a demo or proof of concept workshop.
Please also visit us at Atos Consulting to find out our other focus areas in IAM.
Never miss an update by following us and subscribing to our monthly newsletter!