As a tech person, I am pretty comfortable with tech things. My mind works in such a way that I can understand most gadgets and technology with a minimum of effort. I can almost literally picture the mechanics (or electronics) behind the functioning of stuff. It comes very naturally to me. What i have discovered in my years of living in tech is, not everyone sees things the same way as me. I know it’s a fundamental thing, very simple in retrospect, but it has been, and continues to be, a blind spot for me. I have to work to remember this when dealing with non-techies, or I can easily get frustrated.
If you look around, you can see the world being enveloped in tech. VR is going mainstream, we carry around pocket computers that also happen to make phone calls, our cars are rolling, digitally controlled entertainment systems. Some of us embrace and dare I say, enjoy, it. But what about those that do not?
These poor folks are having a heck of a time. Their families, especially the younger ones, are communicating at the speed of light, often times through push communications such as twitter, instagram, etc. Then there is email… so many emails! Gone are the days of licking a stamp and spending $ to communicate with people, now it’s free and every marketer on the planet is sending emails about by the 1000’s without spending a penny on postage. These poor non-tech folks are getting inundated by emails. To compound the problem, the scammers are out there in force as well, filling up the folks email account with scams, malicious links and attachments. These folks are also some of your users.
These folks are fatigued by tech, and now it’s hitting them hard in the workplace as well. Emails require almost immediate response, IM is becoming a productivity tool and the business world is
running at 100 miles an hour. Those same scammers are hard at work here too, only in this case, there is a feeling that they can’t ignore emails like they might in a personal email account. What if it really is an order or a customer service issue? This is the point where potentially disastrous decisions are made. Where the rubber meets the road, if you will.
So what do we do about it? Well, we need to show some empathy to start. While they may not have tech skills, hopefully they have
some other skills that keep them employed. Don’t look down your nose at luddites, it’s just a person with a different set of priorities. We also need to understand that it is our job as security professionals to reduce this risk and own the responsibility. If these folks are falling for phishing, we need to fix it, and we are responsible for teaching them good practices.
Once we own the problem, we can begin to address it. Here are 5 things you can do to be successful:
- Be patient. Non-tech folks don’t always have the basic tech skills and experience that we take for granted.
- Be positive. These folks are probably a little intimidated by what you are trying to teach them. Encourage them when they do well, but be kind if they mess up.
- Give them training and tools. Good awareness training and something as simple as a printed copy of a reminder like this can pay big dividends.
- Make them feel like part of a team. Stress that you are all in this together and part of something bigger than the individual
- Smile. Remember to smile, especially when teaching them new things. This will put them at ease and build confidence.
If you do these 5 things, it will go a long way to helping non-tech users embrace their role defending the organization against modern threats like Phishing. Good Luck!
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec