Let’s see now, over the last several years working in IT Security and Security Awareness a few things have become crystal clear;
- Technologies are super easy to patch, you just need a process and a little buy-in. After patching the risk is minimal.
- People can’t be patched, even though sometimes we really wish they could be. After security awareness training the risk is still present, albeit hopefully minimized a degree.
- People need to be aware of security at all times, it has to become part of the business culture. Worrying about end users is what keeps me up at night–our business is one click away from losing brand reputation, money, private information or even (swallow hard) the IT Security guy’s job. Generic security awareness is not good enough.
What if we security practitioners could keep security on the minds of employees all the time? What if there was an easy way to keep people focused and thinking about the dangers of phishing emails, malicious websites and generally being more pro-security? Sounds great right? Where do I sign up? Haha! If it were only that easy!
Combining that need with some of the motivators I’ve experienced over the years gave me an idea; What if the ‘free stuff’ phenomenon could actually drive down my phishing click rate? Jeez…if it worked it would solve one of my main problems with security awareness, (the ‘awareness’ part for about 10% of end users) and do it in a way that is positive all around! Although in it’s infancy, I’ve been experimenting with this new method of ‘security through free stuff’. Here’s how it works;
At security and IT conferences, I collect as much schwag (free promo materials) as I can, looking especially for the nice stuff (no offense to the pen-peddlers, but you guys really gotta up your game). You know, Tshirts, cool laptop stickers, flashlights, rocketbooks, light sabers and other geeky stuff and gadgets. Sign up for it all! (then screen your calls for the next year…) Then when I get back to the office, I give that stuff away like it were Aunt June’s fruitcake–but only after sneaking in a learning experience to unknowing end-users. For example:
A recent email I sent to the IT group — ‘You can win this new cloud shaped stress ball, laptop sticker, pair of earbuds and a multi device charger if you answer the following question: “According to Verizon’s 2017 Data Breach Executive Report , what percentage of breaches were caused by weak or stolen passwords?”‘
Have the target audience send you the answer and raffle the schwag, keep track of the names in a txt file, then paste them in and randomly select a winner on a random selector site like http://www.miniwebtool.com/random-name-picker/ In this case there are actually two answers, although they are very close to each other–probably a rounding error! But for those who give two answers, you have to assume they read the article fairly closely. winning…Winning…..
Another idea is to have people reply with one security issue they have noticed in their work environment, and have each offer a possible solution to mitigate it. This could work great for an IT team, because we all know of one area or another where there is a hidden risk that others may not be aware of. It also give the security guy information into the inner working of every IT employee, including the risks and potential threats in their environment. Mmuuhhaahahah! Now you are getting it, right?
The great thing about this is it’s fun, it’s free and it disarms those people who are already grumpy about security by giving them something of apparent value for FREE! The psychology behind this is fascinating. Check out Rick Paulas’s column entitled “The Strange Effects of Free Stuff; How the allure of free tricks your mind into accepting irrational options” In that article he talks about the ‘Zero Price Effect’.
“When people are offered something for free, they have this extreme positive reaction that clouds their judgment.”
Haha! Clouds their judgment! Hey, if that helps someone to NOT CLICK something, I’m all for it!
Hey y’all…If you’ve made it this far, maybe you’ve got an idea or two to share! Share your ideas and suggestions below! Or if you would just like to send me some schwag and help the cause, contact me privately: nerd at nerdosaur.com!