It’s Cyber Security Awareness Month which is a great time of year for everyone to dispense security wisdom like Oprah giving away cars.
But looking back at some of the blogs I’ve written over the years, particularly around Cyber Security Awareness Month, and dare I say, some of my peers, there’s a bit of an issue -- and that is that we’re often so focussed on showcasing our cyber security knowledge that it can be easy to forget who the knowledge is intended for.
The effect can be visualised by the following chart:
It’s important that as security professionals we use the opportunities presented by Cyber Security Awareness Month wisely, and communicate better. Below are five tips which have helped me, and may be of use to you too.
- Quit blaming others: Yes, we all get it. Sometimes people make mistakes, do silly things, or ignore you altogether. It’s so easy to declare, “Lol, users!” rolling your eyes a bit, and exhaling while letting your shoulders drop in the way a parent does just before they tell their 8 year old how disappointed they are in their exam results.
Instead, let’s be the people who, in the face of mistakes, buy them an ice cream and make light of it. After all, is a little bit of ransomware really worth ruining friendships over? - Argue behind closed doors: Security professionals don’t always agree on things. And that’s a good thing, we need to be constantly challenging assumptions and out of date practices. I guess we are also egomaniacs who love being right and putting others down. But that’s a topic for another time.
The point is that people who don’t work in security don’t need to be confused. So, if someone says to their colleagues, “use a password manager” don’t jump in on social media and say how bad you think the advice is, how MFA is a better option, or how l33t you are for being able to memorise 78 different unique passwords each being 16 characters long.
Baby steps are what we need, and if we can help people be a little bit more secure today than what they were yesterday, that’s great. If professionals want to disagree, or say how one method is superior to another, they can do it out of the public sight where it doesn’t look like cybersecurity isn’t full of infighting imbeciles. - Be specific: Whenever asked a security question the reflex action is to sharply inhale before saying, “well, it depends” which is then followed by 15 minutes of incoherent rambling which includes liberal use of phrases such as, “risk”, “appetite”, “appropriate”, and “threat model”.
I get it, I used to be a consultant in a previous life, and it’s what pays the bills. But when your colleagues, friends, or family members ask you a question, don’t beat around the bush - you’re not their consultant. Just tell them what to do, keep it specific and simple, but more importantly make it practical. - Be a storyteller: We’re not college professors or lecturers, and nobody really wants to listen to a professor (apologies to professors). So try to make your message interesting and engaging. Telling a story really helps people remember and apply messages. If you tell the family an engaging story around the dinner table about how a criminal got caught because they posted too much information about themselves on social media, it may be all that’s needed for people to evaluate their own choices and change their behaviours accordingly.
- Make them cool: Making people who you directly come into contact with aware of cyber security and steps they can take is great. But do you know what’s better? Having them go on and spread the message further. So instead of just telling, show something interesting and cool. Think of a little hack as a magic trick. Show someone, amaze them, then teach them how to do it. They will be more than happy to show off their newly learnt trick to all their friends and family and be the cool one.
We aren’t trying to make everyone a cyber security expert during Cyber Security Awareness Month, and such a goal is unachievable. What we do want, is for people to make better risk decisions with new-school security awareness training and know who to go to when they are in any doubt. If we can help people to be even 1% more secure during October than they were last month, then that in itself makes Cyber Security Awareness Month worth it.