Before I was a security analyst I was a user. I was unaware of how much risk I was, what the consequences could be with just one wrong click of my mouse.
I was painfully uneducated with what safe security practices are. Mistaking phishing for fishing, confused as to why an email about fishing would be such a big deal? Thinking to myself, just let people be interested in fishing if they like – I don’t understand – and I so evidently didn’t understand.
I’ve witnessed, many times over, users being blamed and shamed for these misunderstandings. But it is not the user who is at fault. What makes security successful is education. Knowledge is key. Being a security analyst, yes we defend, we respond, we hunt, but most importantly, we educate.
When I first started my career in IT someone once said to me “You do not know, what you do not know” and this has played many times over on my mind. How can we expect our users to understand, if we have not provided them with the information they need. How can we be approachable so users are willing to ask for help? How can we change the way a user thinks to prompt “I’m not sure about this, perhaps I should get someone to check it first”. Every time a user asks for help, to me this is a success.
Educate your users before they are one click away from making the same mistakes so many of us have made before. Don’t wait to educate. And if you are a user, and you have been inspired to learn, reach out to your security team.