If you have a very limited budget and you can only focus on one security awareness activity focused on the message, on one behaviour, what would it be?
Tough question. It was asked by Dr Jessica Barker during the last (ISC)² Secure Summit in Amsterdam. There were hundred of security professionals in the room. The answers were quite classical at the start: Passwords, phishing, trust, and so on.
The best suggestion, from my point of view, was this one: Ask for help!
Too often, users don’t ask for help. Likely because they don’t want to lose time waiting on the line while calling the helpdesk or they don’t want to look stupid (and there is probably a lot of other reasons and a mix of it). But security has become an increasingly complicated matter over the years. Hoping our end-users will become better or as good as security professionals might be wishful thinking (although in some cases, average users are better than most security professionals in some security-specific tasks, I’ll come back to that another day).
So, “Ask for help”, is the most reasonable action to ask our users. It is something they can easily understand, it will cover a large panel of situations and probably increase your reaction time and decrease the number of incidents.
Of course, you need to make it easy (simple phone number, easy to remember the email address, one button to click in an email to signal a fishing attempt), responsive (people don’t like to wait) and nice (you don’t like that the person on the line make you feel like a fool).
Think about it. It might be a good start for a more human centric security (hence more efficient and cost effective).