From personal privacy to online scams, it seems almost every IT security-related issue now has its very own awareness week. Incorporating everything from television ads to banners on buses, the campaigns are designed to push messages directly at consumers.
However, while such weeks might go some way to lifting security awareness, they don’t go far enough. Simply reminding someone of the issues once a year - while a good thing - is really only the start.
The challenge stems from the fact that people have very short-term memories. They also don’t learn from the mistakes of others, but only from those they make themselves.
For example, a campaign in January might stress that all office staff should change their passwords on a regular basis. Yet, experience shows that half of them will have forgotten this advice by February and another half by March. Most will ignore the advice until they fall victim to a scammer.
The same holds true when it comes to opening rogue attachments or plugging in stray USB sticks. An awareness campaign might alert people, but many will just as quickly forget about the risks until they infect their own PC.
Getting the message through
In most cases, IT security messages not yet ingrained in people’s mindsets and so need to be enforced, however the challenge is finding a way to do this.
One approach would be to have the messages coming from multiple parties throughout the year rather than a single week-long awareness campaign. A series of campaigns could be mounted by banks, supermarkets, credit card providers and phone companies that constantly reinforce the same basic security messages. Repetition can be very effective.
Some may think there’s a risk that, faced with constantly being told the same thing, people will suffer message fatigue and switch off. But if those messages are coming in different forms from different sources, the importance of IT security might just get through.
There’s also an argument for making the messaging itself more hard-hitting. In the past, successful road safety campaigns have used graphic footage of accidents and anti-smoking campaigns have contained images of damaged lungs. A similar approach to IT security could show the dire financial implications of having your identity stolen or your business shut down by ransomware.
A sales-free zone
Unfortunately, many IT security campaigns have tended to be little more than thinly veiled advertising for products or services. A security company will paint a scary picture of what might happen to you and then finish with the solution: buy our product and all will be well.
Effective campaigns need to steer away from selling and focus instead on the implications of not taking action. Once people understand the real-world problems they can face if they don’t take IT security seriously, they’ll be more likely to take the steps required to improve their own circumstances.
Awareness weeks are worthwhile, but they need to be augmented by other things. These could include targeted, government-funded advertising campaigns as well as campaigns funded by business that don’t contain a sales push. Scheduled to run throughout the year, they will help to get the messages across to larger numbers of people.
As awareness increases over time, it might even be worth establishing a national cybersecurity commission that would fulfil a role similar to a road safety commission. This body could coordinate campaigns nationally to ensure messages were reaching as many people as possible throughout the year.
Just as safety messages like ‘wear a seatbelt’ and health messages like ‘give up smoking’ took years to become mainstream, so ‘change your password’ and ‘don’t open strange attachments’ will have to follow a similar path.
Article by CQR Consulting co-founder Phil Kernick.