The Infosec Cold Call

I get asked occasionally about ways to improve corporate information security or what kinds of things get easily missed, and while I’m no expert, and there are an endless number of little things you can miss these days, there’s one way I rarely hear mentioned and I like to remind technical leadership about:

Don’t talk to security sales cold calls!

Studio71, where I’m the CTO, isn’t some huge enterprise company or constantly in the news garnering press and attention, and yet I still get at least a couple of these kinds of calls every week.

ring

Me: “This is Mike Flynn”

Them: “Hi, this is ____ from WhateverSec. I just have a few questions for you.”

Me: “Ok, but I really need to go.” (No I don’t.)

Them: “Sure, I’d just like to tell you about our new AI-powered blah blah crypto currency security solution. Let me ask you, what are you doing now for your corporate security?”

Me: “Ah, we’re happy with our current solution.”

Them: “What is your current solution? What kind of firewall are you currently running in your office? Are you using any monitoring devices on the network?”

Me: “I’m not going to detail our security infrastructure over the phone to someone I don’t know.”

Them: …

Them: “Ok, right. That makes sense.”

Me: “Thanks for calling, but I have to go.” (No I don’t)

click

How many people do you think happily gave up the brand of firewall…maybe the software version…maybe the network appliances they have at their office? A lot, I bet…but please don’t. What this person trying to research a hack? Honestly, probably not, but it only takes one, and even if they are legit they don’t need to know anything anyway. Oh, did they say they were from Rapid7 or another established company? No they weren’t because they usually don’t ask those kinds of questions, but even if they did, it doesn’t matter.

Feel free to buy whatever it is they have to sell, but whatever it is they don’t need to know your security infrastructure to sell it!