If you're in the cybersecurity sector, you'll know that October is “Cybersecurity Awareness Month,” a time when cybersecurity specialists everywhere push hard to get the message out that cybersecurity is important.
Each year, there is a different theme, and for 2022, the theme is "See Yourself in Cyber."
According to the CISA website, the theme is meant to demonstrate that "while cybersecurity may seem like a complex subject, ultimately, it's really all about people. This October will focus on the "people" part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organisations make smart decisions whether on the job, at home or at school – now and in the future."
Are we missing the point?
This month, I've watched organisations spread the word about phishing scams, ransomware, and the importance of updating devices. But is this enough? And are we focusing on the wrong things?
Of course, phishing is a big deal, and no one is suggesting that we shouldn't be talking about this. But it seems to me that all too often, we are still looking at the issue from a business perspective. Yes, we're focusing on people, but the area of focus is "How to spot a phishing message," with the advice of "Alert the IT team," or, "Forward to your line manager to verify."
While this advice is sound, in a work context, it does little to protect individuals at a personal level, and certainly doesn't get them excited about the topic.
Alongside the discussion of phishing, we also focus on ransomware. We highlight the dangers that lurk below the surface of an infected link, and advise, "Think before you click" (if only it were that easy!)
If the focus is on people, then we should think carefully about the audience we're speaking to. Taking a “One Size Fits All” approach to this topic doesn't work, just like trying to please everyone pleases no one.
Make it personal
When raising awareness, we tend to focus on business needs and forget that an organisation is made up of individuals; complex, living, breathing, loving, hard-working individuals who, despite what you might think, have lives outside of the business. Even the business owner and leader has personal matters to attend to, and needs to balance work and home life, all the while trying to appear as if nothing phases them.
Yet, all of this tends to be forgotten as we enter cybersecurity awareness month with the bland message, "Think before you click!" [YAWN]
What we need to do is to get personal! Yes, you can talk about phishing scams, but talk about them in the context of recruiter scams. This is where a scammer will pose as a recruiter claiming they have the perfect role, but they need money to secure an interview.
Don't talk about how cybercriminals swim in the darkest recesses of the Dark Web, when in reality, scammers are on Facebook, Instagram, and TikTok. It might sound more exciting to talk about the Dark Web, but the message you're giving here is "Hey… there's a place where criminals hang out. If you don't go there, you'll be safe!"
Claiming that cybercriminals only live in the Dark Web is like saying sharks never come to the ocean's surface to feed!
We should also be talking about the apps people use, and that means talking about apps other than "Whatsapp." Dating apps are used in every walk of life, and scammers know that these are a good feeding ground to extort money out of people who perhaps are letting their guard down!
Talk about how scammers use dating apps to lure people into sending money (these are known as “romance scams”,) or lure people into sending saucy images, only then to be blackmailed further down the line.
Of course, in these times of economic difficulties, people are looking to make additional money, and therefore investment scams are also on the rise. Are your employees trying the latest “Get Rich Quick” schemes that focus on cryptocurrency? Do they know what to look out for? What to do if they are approached, or if they have invested?
These are the topics we need to be focused on. Yes, some of them are a little difficult and awkward to talk about, but if you avoid these conversations, you're leaving them exposed to learn the lessons the hard way.
We need to have laser focus
So, how do we develop an approach to raising awareness that will have impact?
To start with, it is essential to think about the different kinds of audiences you are speaking to, because they are different and have different needs – but remember that ALL of them are still people.
As an exercise, you should outline who your audience members are so that you can craft your messages appropriately. At a high level, your audiences will include members from the following teams:
- Board members;
- Human Resources;
- Information Technology;
You can go further than this if you wish, but I'm a fan of keeping things simple (to start with), so that you don't become weighed down by analysis.
Once you have your groups, ask yourself, what concerns them about cybersecurity, and, what do they need to know? The answer to these questions will differ for each group, and if you don't know the answer, then it's time to leave your desk and ask them.
Now comes the most critical question: What do you want them to do, or feel about the information given to them?
The whole point of cybersecurity awareness is that you want people to be changed in some way. To think differently about the topic and perhaps even change their behaviour.
You should consider the kinds of scams that people may be subject to, and include these alongside your more traditional messaging, which focuses on the threats your organisation faces.
More important than anything else is to remember that people aren't focused on cybersecurity 24/7. That's YOUR job. People want to get one with what they’re employed to do, or want to engage in whatever activity they're engaging in. They're not thinking before clicking, because they're already three or four steps ahead and thinking about the next task or activity.
Finally, if you believe that cybersecurity awareness is important, then it shouldn't be a once-a-year event. There needs to be a clear strategy and a plan to raise awareness across your organisation.
Remember, if you have a random approach, you'll have random results.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.