From Victim to Security Champion

As we move through October and National Cyber Security Awareness Month (NCSAM), I wanted to share reflections from a past experience with a friend who was targeted remotely. 

A lot of people judge others harshly when they fall victim; I tend to view this as that individual gains a significant degree of awareness and has the potential to transform from victim to security champion.

The victim, my friend, wrote to me to say: Before today, I didn’t even know what Social Engineering was. I quickly found out when I walked into a trap set by some very bad people.

It started innocently enough when my friend tried to login to their online banking account, something they had done regularly in the past. The site looked no different. The bank logos and login looked real. Suddenly a warning flashed on the screen and it said, in BIG, angry RED letters, something about their login and accounts being compromised and that they needed to call the bank’s technical support number right away.

They were freaked out by the message and were in panic mode, so they called the number. The person who answered was very professional, said all the right things, and was going to be the savior who would make everything right again. Eventually, my friend got suspicious but not before they had given the person on the phone access to their system.

As security professionals, we know that this was a huge mistake, but an average user would react exactly in this same way. And it’s a reasonable human response when you assume that you’ve broken your expensive computer or left yourself vulnerable to harm.

By then, my friend knew that they had made a mistake and they assumed that their bank account was being compromised. They then put the phone down and submitted a helpdesk ticket. By then, their system was locked and shut down.

Now they knew that they were psychologically manipulated into allowing these attackers into their system. They told me that the next 24 hours were the most embarrassing they had ever felt. They were forced to really think about what had happened when all they wanted to do was disappear into their humiliation. To make matters worse, they had to answer to the CSTO at their company and work without a system.

In my role at Cylance, I have on occasion dealt with similar situations. While it is often easy to default back to the usual ‘blame and shame’ games, I see these as opportunities. If the person realizes the consequence of their actions, takes ownership of their part in the event, and learns from it, I think they become a security champion. 

I am not saying they won’t be a victim again, but their experience shapes their perspective. They become a bit more diligent, and over time, became an evangelist with their peers when they are comfortable sharing their experience.

Everyone thinks they are security-savvy and this would never happen to them. It does and it could.

If something like this happens to you or someone you know, you need to report it, immediately. Being compromised sucks; but taking fast action not only reduces the potential damage, but empowers you.

Some key takeaways:

  • If you ever receive a message from any external source (phone, email, popup, instant message) telling you something is wrong with your system, do not take action. Politely disengage with them and contact your helpdesk for follow up.
  • Calm heads prevail. This technique is designed to unsettle you. The language, the color of the text, the popups. The attacker wants you unsettled, panicked, and mentally vulnerable.
  • Whether you work onsite, remote, or are traveling, never allow outside support teams to access your computer without approval from the organization who issued you the device.
  • If you keep these things in mind, and share these tips with your employees, friends, and family, we can help stop attackers from taking advantage of our natural human instincts – and we can turn from victims to security champions.