Cyber security user awareness has been a key focus and expense over the past few years. As evidenced by the Cyber Security Spend & Trends Report- that focus and expense has worked. While good work has been done, the practice must now evolve. It goes beyond user awareness.
It goes beyond cyber security psychology. There are fundamental ways to embed a cyber security consciousness into the fiber of your organization. With that consciousness, a cyber security culture can be established and grow.
User Awareness Training
“The training piece of it is where it all starts. If you can have a “no-kidding top-notch” awareness education program, you can solve a lot of problems going forward.
The biggest threat today is still phishing. If you can train your folks what to look for, what not to click on, when to report the phish- you’ve done a lot there to save a day when you might have to do some cleaning up.
So if you can do the education awareness training piece correctly, and make it so that people want to learn, you can save yourself a lot of time by not getting yourself into a bad spot.”
To paraphrase the old saying, teach a person to recognize a phish and they’ll keep the company protected for their lifetime.
User Awareness Psychology
“It’s all about psychology; the human psyche. You will never be able to get what you want from your human resources; to focus on cybersecurity as much as they should. And not just cybersecurity, it’s overall risk awareness. It’s a difficult task. It’s always going to be difficult. You have to keep trying, that’s all. But you must find innovative methods of engaging users to make them understand.”
Repetition works. Repetition works. But the effectiveness of repetition has its limitations in cyber security user awareness.
“But it’s all about motivation, what motivates any of us. I’ve always said you can yell at me and scream at me like perhaps the military would do, “You have to. You have to.” Or you could hold out a piece of chocolate and I would come and do all the things you want me to do just for that because you’re doing it in a positive way.”
Kill them with kindness.
“There is a side of awareness that’s about marketing what security brings to the table. So, partnering more with the marketing folks, with the engineering folks. Trying to embed ourselves more in their world to say cyber awareness is a service we could provide. You’re paying for us. Come use us in a way you’ve not used us before.”
Solving the repetition problem and amplifying motivation can be done through creative budget attribution. If the relationship with the Board and CEO is strong, moving cyber security awareness from the cyber security budget to business P&Ls positions cyber security awareness as inbound with accompanying buy-in from a given business leader.
If they must spend on cyber security, collaboratively conceiving of creative solutions amplifies the effectiveness of the investment.
“There was the story not too long ago about Tesla. The user that was offered a lot of money to do bad things didn’t because they cared about their company. So how do you increase the level of loyalty? In many ways the amount of connection you have to a company can’t be underrated.”
Organizational loyalty is a concept for the larger organization. If your company has it, use it. When folks truly believe in the mission and vision of the company, it’s much harder to socially engineer them into actions of malfeasance.
Establishing a Holistic Cyber Security User Consciousness
“We keep trying the same things and expecting different results. And I don’t believe we can keep doing that. Looking at novel ways; gamifying things, making things fun for staff to engage with real life examples, making it about not just what, what they can do at work- but how they can help their family, children, etc, be cyber safe.
If you make it about the user’s whole-life ecosystem, from the time kids are at school, right through the time they work, and everything in between you can make a connection. That’s the only way to keep up with the pace of change and the volume of threats and threat actors that are coming through.”
Users are people. Perhaps rename the endeavor cyber security people awareness.Source:https://www.cshub.com/executive-decisions/articles/2021-cyber-security-user-awareness-top-action-items