Story image

Why a cybersecurity awareness week is just not enough

24 Jul 18

From personal privacy to online scams, it seems almost every IT security-related issue now has its very own awareness week. Incorporating everything from television ads to banners on buses, the campaigns are designed to push messages directly at consumers.

However, while such weeks might go some way to lifting security awareness, they don’t go far enough. Simply reminding someone of the issues once a year - while a good thing - is really only the start.

The challenge stems from the fact that people have very short-term memories. They also don’t learn from the mistakes of others, but only from those they make themselves.

For example, a campaign in January might stress that all office staff should change their passwords on a regular basis. Yet, experience shows that half of them will have forgotten this advice by February and another half by March. Most will ignore the advice until they fall victim to a scammer.

The same holds true when it comes to opening rogue attachments or plugging in stray USB sticks. An awareness campaign might alert people, but many will just as quickly forget about the risks until they infect their own PC.

Getting the message through

In most cases, IT security messages not yet ingrained in people’s mindsets and so need to be enforced, however the challenge is finding a way to do this.

One approach would be to have the messages coming from multiple parties throughout the year rather than a single week-long awareness campaign. A series of campaigns could be mounted by banks, supermarkets, credit card providers and phone companies that constantly reinforce the same basic security messages. Repetition can be very effective.

Some may think there’s a risk that, faced with constantly being told the same thing, people will suffer message fatigue and switch off.  But if those messages are coming in different forms from different sources, the importance of IT security might just get through.

There’s also an argument for making the messaging itself more hard-hitting. In the past, successful road safety campaigns have used graphic footage of accidents and anti-smoking campaigns have contained images of damaged lungs. A similar approach to IT security could show the dire financial implications of having your identity stolen or your business shut down by ransomware.

A sales-free zone

Unfortunately, many IT security campaigns have tended to be little more than thinly veiled advertising for products or services. A security company will paint a scary picture of what might happen to you and then finish with the solution: buy our product and all will be well.

Effective campaigns need to steer away from selling and focus instead on the implications of not taking action. Once people understand the real-world problems they can face if they don’t take IT security seriously, they’ll be more likely to take the steps required to improve their own circumstances.

Awareness weeks are worthwhile, but they need to be augmented by other things. These could include targeted, government-funded advertising campaigns as well as campaigns funded by business that don’t contain a sales push. Scheduled to run throughout the year, they will help to get the messages across to larger numbers of people.

As awareness increases over time, it might even be worth establishing a national cybersecurity commission that would fulfil a role similar to a road safety commission. This body could coordinate campaigns nationally to ensure messages were reaching as many people as possible throughout the year.

Just as safety messages like ‘wear a seatbelt’ and health messages like ‘give up smoking’ took years to become mainstream, so ‘change your password’ and ‘don’t open strange attachments’ will have to follow a similar path.

Article by CQR Consulting co-founder Phil Kernick.

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.