This is a story about security awareness advice by Javvad Malik, Lead Security Awareness Advocate at KnowBe4, the world’s most popular security awareness and phishing platform. Savvy is a leading channel partner with KnowBe4, helping legal industry prevent security breaches and cyberattacks.
In this article, Mr. Malik suggests that tactics used to prevent in-person security breaches (home burglaries, convenience store robberies) are also helpful in preventing cybercrime.
Contact Savvy if you need any help keeping your firm safe from cyberattacks. During the month of October, we are offering all new clients 5% off their first year with any KnowBe4 product or service.
Unconventional Security Awareness Advice
October is Cybersecurity Awareness Month, and you are undoubtedly being bombarded with some fantastic security awareness advice on how to stay cyber safe.
All the advice means well, but simply put, it all becomes a bit same-y after a while. Hover over links, verify who sent you the email, don’t send $2k worth of gift cards to a recently departed relative you didn’t know existed.
While all of this and more is good advice, I’m a firm believer in teaching principles as opposed to lists of things to do and to not do. These are principles that I believe can help anyone become more security savvy.
How many times have you seen a movie, or a video game where you have to sneak past a security patrol and managed it without breaking a sweat because the guards’ movements are completely predictable.
Criminals need their targets to be predictable. Knowing how the victim will respond gives criminals the upper hand.
Imagine an army moving in a predictable manner. The opposing troops would know exactly where the enemy will be, and at what time. Giving them enough time to prepare a trap, have a cup of tea, win the battle, and be home in time to tuck the kids into bed.
The best way is to be completely random. Reply to emails at odd hours. Sometimes answer your phone within 3 rings, and other times just let it go to voicemail to make a point.
I’m not suggesting you be unhinged, there’s a fine line between being unpredictable and unhinged. I’m not exactly sure where that line lies. But it’s there somewhere. Personally, I’d err on the side of unhinged than become a victim to a cyber criminal.
One of the biggest traits criminals seek to leverage is our natural tendency to be polite and helpful.
If you see someone struggling to open the door because they are holding several cups of coffee, we will hold the door for them. If someone looks like they belong in the office, we will leave them be, even if they aren’t wearing a badge.
It’s because of this that we hear of incidents where criminals dress up like an employee, walk into a store, smile at everyone, pick up the cash register and walk out without one eyebrow raised.
The best defense in these situations is to just be rude. I’m not saying you go out of the way to yell at people or use it as an opportunity to tackle your boss to the ground.
But if someone walks up to the door with two coffee cups. Just say you need to see ID before you can let them in. Who cares if they get annoyed. Someone looks out of place in the office – just ask if they’re lost.
When the CEO emails you at leaving time saying that they need you to urgently send 25k worth of gift cards to secure a deal. Just reply with the meme of Dr Evil saying, “How about no.”
Report it to security, smile and walk home knowing you are nobody’s PA. Even if you are the CEO’s PA, because you have boundaries.
Design Your Secure World
One reason we all fall into insecure habits is because security is often seen as a hurdle. As humans, we tend to be lazy and if we see something that even remotely resembles a hurdle, we wave our white flag quicker than the French army.
Whenever I want to go for a run in the morning, I find it easier if I lay out my running kit at night before I go to bed. That way when I wake up, I have fewer things to think about and can simply put on my gear and go for a run.
Similarly, think about what stops you or your colleagues from practicing good security, and design your world around it. You’ll be surprised as to how far a little bit of peer pressure will take you.
If everyone starts locking their machine when walking away from it, all of a sudden, the new person will also start doing it – regardless of whether they fully understand why. After a while, that becomes part of your company culture.
Become an Informant
The word snitch has bad connotations. If someone is referred to as a snitch, you immediately think less of them and mutter, “snitches get stitches.” But say that you’re an informant, and people will sympathize with you. After all, you’re probably putting yourself in harm’s way to ensure a criminal kingpin is locked away.
Thankfully the corporate world isn’t quite as dramatic and if you have a cybersecurity team, then absolutely report everything suspicious to them (or the appropriate team).
If you receive a strange email, forward it to them. An unexpected SMS, pass that on to them. Found a USB on your desk, give it to security. They are the ones whose job it is to determine if something is truly bad or not. You probably have better things to do than to try and forensically examine a USB drive to see if it has malware or if your laptop is sending a beacon out to North Korea every 5 minutes.
What’s the worst that can happen? The security team will simply return your email or USB or whatever it is and say it wasn’t malicious, but will thank you for your continued vigilance… and who doesn’t like to be thanked?
The four things you need to think about to become more secure and allow you to become the best version of yourself are to: be unpredictable, be rude, design your world to enable security, and become a snitch.
Contact Savvy if you need any help keeping your firm safe from cyberattacks. We have access to many free assessment tools that can help you identify and solve your biggest cyber attack concerns. (For example, learn how many of your employees are phish-prone with this free test. No need to talk to anyone; just download and run it!)
Javvaad Malik is a security awareness advocate for KnowBe4, a blogger and co-founder of Security B-Sides London. As an active blogger, event speaker, and industry commentator, Javvad provides the industry’s prolific video blogging and signature fresh and light-hearted perspective on security.