One of my favorite parts of my job as a CSO is building security awareness amongst my colleagues. I really believe that the time put into good security awareness messages pays for itself many times over, keeping security top of mind and encouraging people to engage in dialog with the Security department.
I’m going to be sharing some of the messages I’ve come up with – they’ve gotten pretty good feedback and might be useful at other companies.
This particular message is meant to alert people to the psychological aspects of security and how con artists use our weaknesses against us. I would classify this as a “broad spectrum” inoculation against things like phishing, BEC and other types of fraud.
So here’s the text, which you are invited to use and abuse to your heart’s content for your security awareness purposes inside your firm:
Why we fall for cons
Today, most of the big computer security failures we read about in the news start out as cons. And that makes sense – getting people to do something to open the door and invite you in is much easier than trying to break in.
The odds are stacked against us, because, according to something called “Truth Default Theory,” if we were to stop trusting people in most cases, society would grind to a halt. Therefore, we are predisposed to trust others by default unless (and sometimes even if) there are really obvious red flags in what they are telling us.
The Financial Times had a great article on this topic this past week called “Why We Fall For Cons” which is both entertaining and educational and should be on your reading list. Knowing the techniques and ploys used by hackers, scammers and criminals will help you protect yourself, your family, and <<INSERT COMPANY NAME>> from their nefarious plots.
Unfortunately, when dealing with email, social media, phone calls, SMS and other electronic communications, we need to suspend our default trust and stop and think about whether what we are seeing is the first act in a con job.
Your common sense is the most powerful protection <<INSERT COMPANY NAME>> has from the kinds of attacks that are most likely to be directed against us – malware, business email compromise, ransomware, and fraud. Security is here to help – call or email us when you are not sure about a communication and we’ll work with you to separate the good from the bad.
Thanks for your help in keeping <<INSERT COMPANY NAME>> safe and secure!
If you decide to use this in your security awareness efforts, I’d love to hear back from you about the reaction you get.