Imagine you get an email from your boss saying there’s a new promotion at work. All you have to do is log in to the secure portal provided, take the 5-question survey, and you’ll get a $200 bonus that month. “Wow”, you think. “This is just what I needed to cover my unexpected medical expenses! Life has come to life!” You sign in and you are immediately informed that you have fallen for a phishing test. How do you feel? You are likely to be defeated, upset, and maybe even angry. “It wasn’t fair!” Do you think.
What is the plan you, reader, think? Was it a fair test?
Some may say yes. The attackers don’t care about your medical expenses, why shouldn’t that angle be tested? Others say no, we’re not the real attackers, so we shouldn’t test employees like that. What is the correct answer?
a christmas bonus
During the pandemic, one company conducted a phishing test as was done in our introduction. He tests employees by saying they’ve had a great year at his company and is offering a $650 Christmas bonus to all employees who fill out the form. About 500 employees came under its grip. Those employees publicly complained that it was an insensitive and tone-deaf test. Due to this the company had to apologize publicly. That test clearly didn’t leave employees with positive training points.
Clearly, the trial could have been conducted in a more ethical manner. how so? Instead the company could have said they were going to do a Christmas raffle. “If you fill out the attached form, you will be entered to win a $15 iTunes gift card.” With only a few changes, this test would have left employees without the sense of loss they certainly felt from the initial test.
make them feel better for meeting you
Here at Social-Engineered, LLC, our main motto is “Leave them feeling better for meeting you”. Is it possible if we are hunting for someone’s Aadhaar requirement for ourselves and our families? No. The same applies to taking advantage of other intense emotions, such as fear. There is no good point in training if we threaten to fire someone. Our goal is not just to “win” for ourselves, but to leave a moment your employees can learn from. Because of this, Christopher Hadnagy created a Code of Conduct for Social Engineering that we follow at our company. The Social Engineering Code of Conduct serves three important goals:
- Promotes professionalism in the industry.
- Establishes the ethics and policies that guide how to be a professional SE.
- Provides guidance on how to conduct a social engineering business.
why is it important?
Why is a code of conduct important for social engineering, and phishing and vishing in particular? because even though we are paid to imitate the bad guys, we are not the bad guys. Our goals are not the same. We are not trying to win at any cost or we shouldn’t. Additionally, we need to keep in mind what our goals should be; Train employees and better secure companies to defend against malicious attackers. We can’t do this if we mimic malicious attackers everyone Way. Why not?
Picture the start of an attack, as we started. What do you think the employee will remember about that “training” experience? Chances are, it will be negative emotions felt, No How to be safe in future This is what we, as professional social engineers, want to avoid. Rather, we want to leave them with solid, teachable moments. We want them to be able to focus on identifying danger signs instead of being distracted by the negative feelings we create.
be nice people
It is true that training in this way, with its focus on influencing positive emotions, is not always easy. It is often too easy to come up with negative excuses. But we think it’s worth the effort. The introduction of ethics into social engineering ensures that we impersonate the bad guys but remain the good guys. At Social-Engineer, we pride ourselves on what we do and how we do it. This is what makes us different. We provide education and awareness to your employees, while making them feel better for visiting us.
For a detailed list of our services and how we can help you achieve your cyber security goals, please visit:
*** This is a Security Bloggers Network syndicated blog from Social-Engineered, LLC, written by Social-Engineered. Read the original post here: https://www.social-engineer.com/the-social-engineering-code-of-ethics/