One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1140180 |
| Date de publication | 2019-05-22 13:00:00 (vue: 2019-06-05 04:00:24) |
| Titre | If you confuse them, you lose them. |
| Texte |
I was watching a wonderful webcast by Marie Forleo. It was part of her “Copy Cure” course, and if you are unfamiliar with Marie and her work, take the time to explore some of her wisdom. Her webcasts are gems, particularly if you work in the consulting space.
During the webcast she mentioned a phrase that should be at the top of mind for every InfoSec professional: If you confuse them, you lose them.
Think about the last meeting you had, or the last message you wrote. Was it truly as clear as it could be for its intended audience?
Think of the following example:
An executive received the following E-Mail –
Take a moment and think about how you would respond to the executive who sends this message to you and asks “Is this real, or a scam?”
Most of us InfoSec professionals would probably chuckle that the executive doesn’t immediately recognize this as a scam, but that is the first failing of our approach.
When I see this, I assume that the exec recognizes that something is not quite right, and is sending it to the subject matter experts for advice. This is definitely more preferable than if the person just clicked the link and then proceeded with the frantic “Oops, I messed up” phone call, or worse, does not report the error to anyone hoping that no one notices.
Here is where we InfoSec professionals often make the mistake that creates the confuse-and-lose problem.
Would you simply reply: “It’s a scam, delete it”? That certainly gets the message across, and it allows you move on with your day, but does it help the exec? Does it teach anything, or does it add to the confusion, making the person no richer than when they contacted you?
Think of when you go to the dentist because of a pain, and the dentist responds with “It’s nothing”. Do you feel any better knowing that the pain will not progress into the full agony stage, or would you like to know more? Just as I would ask my dentist “How do you know it’s nothing?” the executive to whom you just said “It’s a scam, delete it”, will probably have the same question. How do you know it’s a scam?
Imagine, however, if you sent the following response:
Mr. Exec:
This is what is known as a credential-theft scam. If you followed that link and filled in the information, your username and password would have been stolen.
The phone number is a non-working number, and the link attempts to connect to a .do domain (which is located in the Dominican Republic, not a Microsoft site).
Please delete it.
Thanks for checking with us.
Here is a sample of the fake site:
In this hyper-sensitive cybersecurity environment, even the busiest executive will appreciate the explanation and enjoy a better understanding of what we do to protect the company. This eliminates the confusion, and it also provides a real-world example of the lessons we teach in the security awareness campaigns that are required by many companies.
Wouldn’t it be great to know that you are providing the valuable service of not only protecting your organization, but also communicating in a way that reduces confusion and eases the perceived pain of cybersecurity? Instead of the phrase “If you confuse them, you lose them”, perhaps we can turn it around to “If you teach them, you reach them”.
|
| Envoyé | Oui |
| Condensat | “copy “how “if “is “it’s “oops about across add advice agony allows also any anyone anything appreciate approach are around ask asks assume attempts audience awareness because been better busiest but call campaigns can certainly checking chuckle clear clicked communicating companies company confuse confusion connect consulting contacted could course creates credential cure” cybersecurity day definitely delete dentist does doesn’t domain dominican during eases eliminates enjoy environment error even every example example: exec exec: executive experts explanation explore failing fake feel filled first followed following forleo frantic full gems gets great had have help her here hoping how however hyper imagine immediately information infosec instead intended it” it’s its just know knowing known last lessons like link located lose mail make making many marie matter meeting mentioned message messed microsoft mind mistake moment more most move non not nothing nothing” notices number often one only organization pain part particularly password perceived perhaps person phone phrase please preferable probably problem proceeded professional: professionals progress protect protecting provides providing question quite reach real received recognize recognizes reduces reply: report republic required respond responds response: richer right said same sample scam security see sending sends sensitive sent service she should simply site site: some something space stage stolen subject take teach than thanks theft them them” then think time top truly turn understanding unfamiliar up” username valuable watching way webcast webcasts what when where which who whom will wisdom wonderful work working world worse would wouldn’t wrote your |
| Tags | |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.