Try a little kindness
Not too long ago an acquaintance sent me a frantic instant message. She thought she might have accidentally downloaded malware after clicking on an attachment in an email—from a company she had worked with in the past. Not quite knowing what the email was about, she opened the email’s attachment, but the PDF, once opened, was blank. She thought it was odd but paid it little mind until she read a news story about a phishing scam that targeted customers of that same company. When she received a second email from that vendor, also with an attachment, she immediately thought she had done something wrong (though she didn’t click on the attachment the second time). This happened on her work-provided laptop so she worried that she had not only “screwed up” but that she was also putting her whole organization at risk.
Her instant message to me was to ask what she should do—how should she check for the presence of malware? What should she tell her boss? What would happen if malware was dropped on her machine? Knowing enough to understand that phishing can lead to malware, which is bad is bad, but not enough to know how to handle it—and not being able to take back her error—she endured long moments of panic as she ran a Malwarebytes scan and waited for her IT team to take a look at her computer.
As it turns out, although the vendor involved was indeed used as the “sender” for a real phishing scam (likely because they’re well known and send PDF invoices to actual customers), my acquaintance’s Malwarebytes scan and her IT team’s evaluation showed no presence of malware on her machine. She’d skirted becoming a phishing victim by the skin of her teeth, but she told me she still felt “stupid.” I told her to change all her passwords as a precautionary measure and not to sweat the small stuff, but the incident highlighted something very important about information security: Although infosec (or cybersecurity, as it’s known to many) has become common nomenclature, people outside of security and IT remain cowed by security teams and practices.
To a large extent security teams have brought this conundrum upon the profession. For many years security practitioners treated users as a known adversary. The default answer to any question from a non-security pro was always, “No.” Basic inquiries about how to deal with minor technical issues were met with disdain. Even though attitudes have shifted somewhat over the years, the security department still isn’t known for its warm, welcoming approach when dealing with customers (a.k.a. non-security computer users). Pile on the inevitability that the rank and file generally don’t talk to security unless something could be awry—which means the user probably has a guilty conscious to begin with—and now you’ve got a gun shy user approaching a gnarly security pro who just wants to be left alone to read the latest news on WannaCry.
As with my acquaintance, most users want to do the right thing but are afraid of the shame that accompanies delivering (potentially) bad news to the security team. Security Awareness Advocate at KnowBe4, Erich Kron, points out that, “As technical people, we sometimes forget that users probably don't live their lives surrounded by technology the way we do. Users are often very intelligent and experienced in their role; it just happens to be in a different domain than ours.” It can be hard for anyone who is a subject matter expert to step back and remember that if someone is neither immersed in or inclined towards that same field, it doesn’t make that person the office dummy. Yet that’s frequently how we in security treat users. We talk about how people are the “weakest link” and “you can’t stop stupid.” This kind of talk isn’t as prevalent as it was half a decade back, but the undercurrent remains. When working with organizations on their awareness training, Kron always makes a point of emphasizing, “I have coworkers that can run circles around me in Excel and PowerPoint but are not at all savvy in email. If I needed help building a presentation or working on a complex pivot table, how would I react if that person treated me like an idiot in front of my peers? I would not expect them to do that to me, so I won't do it to them.” In the heat of the moment, when malware is taking over, it can be hard to take a breath and not panic, but that’s exactly what the customer service aspect of security’s job demands—and that is (regardless of what the Indeed.com job description says) the main requirement of the role: keeping users and the technology and data with which they interact secure.
Kron says, “Inevitably employees are going to fall for a phishing email. It does not make a difference if this is a real phishing email, a simulated one, or a false alarm. In almost all cases it is important to avoid shaming the user.” When phishing rears its ugly head, it’s important to remember that there is another human being involved. Take the time to explain what that person could have done to detect phishing on his/her own, and do so in a private, non-threatening environment. Public shaming is rarely effective, and will likely only serve to prevent the person from approaching the security team next time. (And isn’t it better to know earlier rather than later if you’re dealing with a potential security event?)
Kron points out that a one-on-one, encouraging conversation “requires very little effort” on the security practitioner’s part and should result in a more knowledgeable, helpful end user. “If you shame that person,” warns Kron, “the opposite is likely to occur.”
At the end of the day, the more external advocates the security team can recruit, the more secure the entire organization will be. This is the assertion of the security awareness and training programs we hold for employees and colleagues, yet once training is over, security practitioners often forget this basic tenet. When a user approaches you with a potential security issue, consider how you would react if you were treated as though you’ve just destroyed the entire company, and then turn that predicament on its head. Customer service is an important aspect of the security role—don’t forget that and you will deescalate many high-tension issues at once plus improve overall organizational security.