Go where the people areMost of us have a pretty “one size fits all” approach to security awareness, which is not the most effective way to go about things. Different jobs necessarily have different functions and have different needs. Malware analysts, for example, would have a very hard time doing their job if they followed standard security advice. It’s just assumed that they are an exception to the usual rules, and they’re given environments that allow them to do their job safely. But they aren’t the only ones in most organizations whose normal daily functionality requires them to do things that seem to fly in the face of traditional security hygiene recommendations. People working in HR and Accounting are often required to open unexpected attachments, which is a big security risk when it’s done without adequate security precautions. People whose jobs require “unsafe” behavior will ignore our advice, and likely other suggestions, if they feel that their job requires an exception. Make sure you do a walk-through with staff to figure out what their job actually entails so that you can help them to do it securely. This excellent guidebook called Cybersecurity is Everyone’s Job (which was co-written by Tripwire’s own Maurice Uenuma) has sections that focus on how staff from each area of a company can help contribute to a more cyber-secure work environment.
Use positive language“Don’t reuse passwords or write them down.” “Don’t click unexpected links.” “Don’t leave your computer unattended.” What do these statements have in common? These are all common security recommendations, and they also give no explanation of what people are actually supposed to do. Clearly, the first one means we should come up with unique passwords,and then somehow remember them all. And then we should delete messages with links that might be unsafe, even if we might get in trouble because they were something important. And then we’re meant to lock our computers when some unspecified definition of “unattended” is met. We need to give people positive messages that specify what steps they need to do to perform their job safely with clear definitions of terms. Try using instructions such as: "Use a password manager to automatically generate strong, unique passwords." “Use this virtual environment we've set up for you so that you can click links and files safely." “Lock your machine as soon as you leave the room, even if it’s only for a moment.”
Make your messages stickyMost of us can think of catchy phrases we learned as kids that taught us to behave more safely, such as "stop, drop & roll" for fire safety. The phrase by itself doesn’t give us a lot of information; it’s meant as a way to anchor a more complex set of instructions so that we can bring them to mind even in an emergency. This is a tactic that is supremely useful for cybersecurity awareness messaging, too, but it’s a bit of an art and a science that is not something most tech folks find comes naturally. Thankfully, we have some help in this regard. Stop Think Connect has come up with a list of data-backed security awareness messaging campaigns which were tested on laypeople to ensure their effectiveness. These phrases — such as “lock down your login” and “when in doubt, throw it out” — are meant to stick in people’s heads so that they can recall more complex, technical instructions when they need them most. You can find more about those phrases and their explanations here: https://stopthinkconnect.org/resources/preview/tip-sheet-basic-tips-and-advice. In the end, improving security awareness is about learning we can educate people more effectively. This requires us to listen and understand the perspectives of those we’re trying to teach, including what they need to access in order to do their jobs. Saying that “humans are the weakest link” is not the end of the conversation; it’s the beginning. Once you’ve identified a point of vulnerability, that’s when you can start learning more about it in order to help solve the problem.