Everyone makes mistakes, but do they know it or know what to do next?
When I realized I did something “stupid”, the important question was, “What do I do next?” I figured it out. Can your users?
Over the past month, there were countless news stories highlighting a new scam where criminals call up random telephone numbers, and a recording begins the call with, “Can you hear me?” The scam then goes on to record you saying, “Yes,” and then the criminals use the yes to claim you agreed to buy a product or service, and bill you for it. The advice for people was to hang up immediately. I thought there is no way I would fall for this type of scam, and would just hang up.
One recent morning, I was sleeping in and received a call. There was some basic introduction, and then said, “Did you vote in the last election?’” In my drowsy state, I said, “Yes.”
I quickly realized that I might have fallen for the scam I thought I would never fall for. My immediate reaction was to dial “*57” which records the last incoming caller to send to the police. I then called the number provided by the service to record it.
I spoke to the representative, who told me that the carrier does not perform third party billing. So, if the criminals try to charge something to my account, they will not bill me for any charges. If they try to bill me through some other means, there is a record of the potential fraud with a possible way of tracking the criminals.
Whether or not the call I received was a version of the scam, it does lead to a few important questions.
First, does your awareness program provide specific examples of what to avoid, or does it provide blanket guidance for how to behave. In this case, while it wasn’t the predefined scam, what I experienced had the same effect. Does your phishing training teach people how to recognize the simulated phishing messages, or phishing messages in general? Does your social engineering program teach people to recognize specific scams, or all general scams? You need to be very sure you’re teaching people the right things.
Second, can your users detect if they’ve fallen for some type of scam? You need to consider if your training is too specific to specific attacks. If you use specific examples, you need to ensure that users can broaden their perception of attacks.
At the same time, can your users step back and review events to see if they fell for an attack? Sometimes, being victimized is not inherently obvious. It my take some reflection to realize that they were either a victim or enabled an attack. This is situation dependent, but it is important to consider the concept for your organization.
Lastly, would your users know what to do if they believed they detected such an incident? Clearly, if you are in an organization’s security department, the desired action would be the user reporting the incident to you. However in order for that to happen, the user has to know how to report a potential incident and, most important, feel comfortable enough to do so.
People knowing how to report an incident should be simple to accomplish. However in this case, you must ask yourself if a typical person would consider this a physical security or cybersecurity incident. Do you provide a single contact to triage any potential security related incident? You need to make reporting easy.
However even if it is easy to report, it is irrelevant if people won’t report potential concerns. Consider that people might not be motivated to report incidents in the first place. Generally, it should be considered a requirement for people to report any potential incidents. That is not always obvious. They might feel they are bothering people and being overly paranoid. They might feel stupid if they report something that is not a valid concern.
More important, they may feel stupid by reporting that they fell for an attack in the first place. Consider that it is ironic that I am admitting that the impetus for this article is admitting that I might have made a mistake. I however realize that everyone makes mistakes and I am not embarrassed to admit it. The average user doesn’t realize this.
Possibly more relevant is that a person might believe they will be blamed and punished for failing. They might be afraid of repercussions. If they believe they are the only one who knows about their potential error, they would want to hide the mistake.
In the awareness field, the focus seems to be on making sure users know how to protect themselves, and not fall victim to attack. All too frequently that focus is on protecting against specific attacks, and not on general guidance, as I previously detailed. That must change.
However as important, awareness needs to feature detection and reaction. But remember, even an aware person will not react appropriately, if you don’t have a supportive environment. People will make mistakes, and they should feel comfortable admitting it.