Can Infosec Professionals Be Vulnerable To Phishing?
Miguel Calles, created polls on social networks to learn whether people believe security engineers could be phished.
Multitasking can be a dangerous thing. Our minds are trying to get a lot done, and we might be less focused than we should. Malicious actors are hoping we are careless so that we make mistakes. Given that, I believe a security engineer is just as likely to get phished. I wanted to know what others thought by creating polls.
Polls on LinkedIn and Twitter
I wanted to know what my social networks thought about this question. I already had my own opinion and experience, but did others share my view?
I structured the LinkedIn and Twitter polls to not only get a "yes" or "no" answer. There were designed to assess whether being phished affected responses. The first two options for each "yes" and "no" answer were aimed to figure out which participants might have been phished themselves. The second options for each "yes" and "no" answer were to see who has not been phished.
I received very few responses, but the results were still illuminating.
Poll results
Surprisingly, many respondents believe security engineers cannot be vulnerable to phishing. This belief highlights security engineers have become well respected. This respect may be due to the increased awareness of the need for cybersecurity. I see a concern here: security engineers could become overconfident and make more mistakes, thus becoming future targets. Although the majority thought security engineers could not get phished, no one ruled out the possibility.
Of the remainder who answered "yes," the majority were not phished. I was supposing that many of the "yes" answers would come from individuals who themselves were phished. Surprisingly that was not the case. It seems those who answered "yes" are being realistic that anyone could get phished even though they were not.
Conclusion
The number of responses were small and cannot be representative of everyone. It was surprising to learn that the majority of the respondents thought a security engineer could not be phished, but they did not rule out the possibility.
Personally, I think anyone is vulnerable to phishing, and that includes security engineers, security directors and chief information security officers.
Slow down and think. Whoever is asking for an urgent response can wait. If it was so critical, that person would have called many times and gotten the phone number from an acquaintance if needed.
Stay secure and alert,
Miguel
Before you go
Join my mailing list to receive updates about my writing. Visit https://miguelacallesmba.com/subscribe and sign up.
About the author
Miguel is a Principal Security Engineer and the author of the "Serverless Security" book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.