Story image

Why a cybersecurity awareness week is just not enough

24 Jul 2018

From personal privacy to online scams, it seems almost every IT security-related issue now has its very own awareness week. Incorporating everything from television ads to banners on buses, the campaigns are designed to push messages directly at consumers.

However, while such weeks might go some way to lifting security awareness, they don’t go far enough. Simply reminding someone of the issues once a year - while a good thing - is really only the start.

The challenge stems from the fact that people have very short-term memories. They also don’t learn from the mistakes of others, but only from those they make themselves.

For example, a campaign in January might stress that all office staff should change their passwords on a regular basis. Yet, experience shows that half of them will have forgotten this advice by February and another half by March. Most will ignore the advice until they fall victim to a scammer.

The same holds true when it comes to opening rogue attachments or plugging in stray USB sticks. An awareness campaign might alert people, but many will just as quickly forget about the risks until they infect their own PC.

Getting the message through

In most cases, IT security messages not yet ingrained in people’s mindsets and so need to be enforced, however the challenge is finding a way to do this.

One approach would be to have the messages coming from multiple parties throughout the year rather than a single week-long awareness campaign. A series of campaigns could be mounted by banks, supermarkets, credit card providers and phone companies that constantly reinforce the same basic security messages. Repetition can be very effective.

Some may think there’s a risk that, faced with constantly being told the same thing, people will suffer message fatigue and switch off.  But if those messages are coming in different forms from different sources, the importance of IT security might just get through.

There’s also an argument for making the messaging itself more hard-hitting. In the past, successful road safety campaigns have used graphic footage of accidents and anti-smoking campaigns have contained images of damaged lungs. A similar approach to IT security could show the dire financial implications of having your identity stolen or your business shut down by ransomware.

A sales-free zone

Unfortunately, many IT security campaigns have tended to be little more than thinly veiled advertising for products or services. A security company will paint a scary picture of what might happen to you and then finish with the solution: buy our product and all will be well.

Effective campaigns need to steer away from selling and focus instead on the implications of not taking action. Once people understand the real-world problems they can face if they don’t take IT security seriously, they’ll be more likely to take the steps required to improve their own circumstances.

Awareness weeks are worthwhile, but they need to be augmented by other things. These could include targeted, government-funded advertising campaigns as well as campaigns funded by business that don’t contain a sales push. Scheduled to run throughout the year, they will help to get the messages across to larger numbers of people.

As awareness increases over time, it might even be worth establishing a national cybersecurity commission that would fulfil a role similar to a road safety commission. This body could coordinate campaigns nationally to ensure messages were reaching as many people as possible throughout the year.

Just as safety messages like ‘wear a seatbelt’ and health messages like ‘give up smoking’ took years to become mainstream, so ‘change your password’ and ‘don’t open strange attachments’ will have to follow a similar path.

Article by CQR Consulting co-founder Phil Kernick.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.