We all know about some social engineering techniques. Phishing for example is a technique that most people have heard of – but there are many others. For example, there is a pricing gimmick that attempts to persuade buyers that a product is not that expensive. The gimmick is to present the cost of the product in terms of it’s “per day” cost. It’s loosely based on the framing effect. The framing effect is a psychological effect in which people will consider options depending on how the options are framed and in particular, whether the options are presented positively or negatively. 99.9999% of people who had a vaccination had no side-effects whatsoever would likely encourage a positive uptake. Compare that to for every million people who had a vaccination, 1 person died. 60million people in the UK, what if you were one of the unlucky 60…? The chances of dying are the same in both scenarios but one is presented positively and one is presented negatively. How did each influence you? What research shows is the framing effect is exacerbated when people are put in high-pressure situations – like making purchasing decisions for security tools you have no clue about. You may have seen something like the quote below:
“This security software costs less than the price of a cup of coffee”
Now, I don’t drink coffee. As a Northerner of England, I drink tea! So I had to look up how much a cup of coffee costs. It ain’t cheap! Cappuccino (Massimo) costs around UK£2.60-£2.75 for a cup, depending on where you go. Anyway back to framing. The salesperson hopes they can anchor your frame of reference to a small number such as the price of a cup of coffee and as a result influence a buyer to think their product is cheaper than it really is. This kind of framing is a social engineering technique…and there is more to come.
“The price of a cup of coffee you say? That’s not a big number, we can afford that. Sign us up!”
Some time later, the contract comes in for signature and the numbers are now a bit different. The average SME has around 10 people so £2.60 x 365 x 10 = £9,490. Wow, that security tool costs nearly ten thousand quid! A lot more expensive! But you’re now committed – you have been socially engineered. Or have you? It really depends on the answer to this next question. If the salesperson framed the proposal as secure your organisation for just £10k, would the same perception of value still exist? It’s the same amount of money after all? But now add on the cost of the resources needed to run the solution. The supporting infrastructure and the people who will be using the tool all need to be factored into the total cost of ownership. That coffee-priced solution is now several orders of magnitude more expensive. It doesn’t stop there because as you grow, so too do those costs. Before you know it, you’re spending a considerable amount of money and may be getting minimal value as the security value has limited correlation with how many people in your organisation.
How can SMEs avoid being socially engineered?
SMEs typically don’t have dedicated internal resources that know about security procurement and vendor sales teams know this. SMEs are often guided by the vendors who present a turnkey solution. That the vendor will do everything to get the SME up and running. Vendors will often frame their product as being a plug-and-play replacement for an equivalent internal security resource. But rarely do security tools work this way. That’s why lots of security tools become shelfware or organisations get hacked anyway – because the tool was never configured properly.
So what is the solution? How can SMEs better navigate the security procurement space? What SMEs need is a trusted advisor. Someone who can advocate on their behalf throughout the procurement process. Someone who can define requirements catered for your business. Someone who can objectively look at whether a security tool will be fit-for-purpose. Someone who can delve into the detail of a vendor’s statements of work. In short, SMEs need a virtual CISO.
If the above resonates. If you’re the owner of an SME who feels they are spending lots and getting little value. If you’re an SME owner who feels unsure whether security spend is providing a solid ROI. Get in touch with us at Fox Red Risk…
…and discovering how we can help save you money will definitely cost less than a cup of coffee.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
