Story image

Why a cybersecurity awareness week is just not enough

24 Jul 2018

From personal privacy to online scams, it seems almost every IT security-related issue now has its very own awareness week. Incorporating everything from television ads to banners on buses, the campaigns are designed to push messages directly at consumers.

However, while such weeks might go some way to lifting security awareness, they don’t go far enough. Simply reminding someone of the issues once a year - while a good thing - is really only the start.

The challenge stems from the fact that people have very short-term memories. They also don’t learn from the mistakes of others, but only from those they make themselves.

For example, a campaign in January might stress that all office staff should change their passwords on a regular basis. Yet, experience shows that half of them will have forgotten this advice by February and another half by March. Most will ignore the advice until they fall victim to a scammer.

The same holds true when it comes to opening rogue attachments or plugging in stray USB sticks. An awareness campaign might alert people, but many will just as quickly forget about the risks until they infect their own PC.

Getting the message through

In most cases, IT security messages not yet ingrained in people’s mindsets and so need to be enforced, however the challenge is finding a way to do this.

One approach would be to have the messages coming from multiple parties throughout the year rather than a single week-long awareness campaign. A series of campaigns could be mounted by banks, supermarkets, credit card providers and phone companies that constantly reinforce the same basic security messages. Repetition can be very effective.

Some may think there’s a risk that, faced with constantly being told the same thing, people will suffer message fatigue and switch off.  But if those messages are coming in different forms from different sources, the importance of IT security might just get through.

There’s also an argument for making the messaging itself more hard-hitting. In the past, successful road safety campaigns have used graphic footage of accidents and anti-smoking campaigns have contained images of damaged lungs. A similar approach to IT security could show the dire financial implications of having your identity stolen or your business shut down by ransomware.

A sales-free zone

Unfortunately, many IT security campaigns have tended to be little more than thinly veiled advertising for products or services. A security company will paint a scary picture of what might happen to you and then finish with the solution: buy our product and all will be well.

Effective campaigns need to steer away from selling and focus instead on the implications of not taking action. Once people understand the real-world problems they can face if they don’t take IT security seriously, they’ll be more likely to take the steps required to improve their own circumstances.

Awareness weeks are worthwhile, but they need to be augmented by other things. These could include targeted, government-funded advertising campaigns as well as campaigns funded by business that don’t contain a sales push. Scheduled to run throughout the year, they will help to get the messages across to larger numbers of people.

As awareness increases over time, it might even be worth establishing a national cybersecurity commission that would fulfil a role similar to a road safety commission. This body could coordinate campaigns nationally to ensure messages were reaching as many people as possible throughout the year.

Just as safety messages like ‘wear a seatbelt’ and health messages like ‘give up smoking’ took years to become mainstream, so ‘change your password’ and ‘don’t open strange attachments’ will have to follow a similar path.

Article by CQR Consulting co-founder Phil Kernick.

Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.