As we wrap up the 2019 National Cyber Security Awareness Month (NCSAM), let’s all agree that our work is not done. As a matter of fact, it’s far from being done. If we are really honest with ourselves, I would even go so far as to say that we have continued to lose ground in the battle against cyber criminals. Why would I say such a thing? Well, it’s the simple truth.
Year after year, the losses become greater, the impact of cyber attacks becomes more significant and thanks to countless breaches, our private data becomes less private. Remembering back, my first memorable cyber incident was the “Melissa” virus back in 1999. This was a mass-email virus spread in a Word Macro that sent itself to the first 50 contacts in Outlook. I was in a hallway meeting with my coworkers when all of our 2-way pagers (yes, I’m that old) all went off at the same time. After reading the first couple of lines of the message, I made a run for the Exchange server and unplugged the network cable.
While the virus was not particularly damaging in itself, the load it put on my server caused it to crumble like a tower of Jenga blocks, which in turn, caused a ton of file corruption and sent me to the backup tapes. Between restoring the server and cleaning up the queued messages on the endpoints, I ended up spending about 26 hours fixing the issues. I thought it was bad. It felt like it was really bad.
Compared to the things we are seeing today, that was a just minor inconvenience.
So, with the stakes so high and the losses only getting worse, it’s time to admit that we are not making much progress. As much good as NCSAM does, it falls short in the same way that a single training event falls short of making a person an expert. Some people may learn a couple of things and they may even be a little more secure for a while, however like a compliance check mark ticked off once a year, it doesn’t make things better.
There, I said it. Does this mean we are destined to fight a losing battle? Should I avoid buying green bananas? Of course not, but we do need a different strategy if we want to make a real difference. This means that we need to not only bring awareness to people, but also to change behavior. One of my favorite lines comes from a slide deck I pilfered from my colleague, Perry Carpenter. The slide says, “Just because I am aware, doesn’t mean I care.” That’s a truth that is hard to argue and one we need to remember.
If we really want to make a difference in this world, we need to get a message across that is more than just making people “aware”. We need to make them care, and this in turn will impact their behavior. The good news is, I am seeing a significant shift in this mentality just in the past few years. This is becoming very apparent in the security awareness industry as organizations are seeing the significant benefits of moving security awareness programs out of the compliance shadows and treating them as real security initiatives.
This means doing more than stuffing people in a room for an hour once a year and showing them a PowerPoint presentation. It means including training that feels less like training than entertainment, such as our groundbreaking Inside Man series. It means short, focused trainings throughout the year, and it means simulated phishing tests with a gamification element to promote competition and fun.
Shorter training, especially training that tells a story, helps the individual maintain focus and absorb more information than longer, mind-numbing training ever will. Having a story element helps make the training relevant, memorable and if done well, helps tie the associated lesson with a relevant activity in their real world. For example, the story about the Japanese pop star that was tracked down and assaulted by a stalker after finding her train station through a reflection in her pupil posted in a selfie online is often remembered by people I know when taking their own selfies to post online. The action of taking the selfie makes them recall the story, then they look at the selfie more closely and critically, looking for things like this, before posting.
Likewise, simulated phishing tests act to remind users of what they learned in the training and gives them a chance to practice those skills in a fail-safe environment. Gamifying the results of the simulated phishing tests promotes a sense of competition, which drives a strong behavior around watching for phishing emails. I have seen organizations gamify the test using everything from departmental rivalries to competition for a prized parking spot, trophies, pizza parties or even cash awards for the winners to motivate the employees. Imagination is the key when it comes to this approach, but the results can be amazing.
So, where does that leave us as NCSAM wraps up? Well it should leave us understanding that one month a year to focus on cyber security just isn’t enough. We need to be giving advice, sharing resources and evangelizing around better security practices throughout the year. There isn’t a compliance award for participating in NCSAM, so we shouldn’t treat is like a compliance exercise. Instead, we need to do our part to educate people about scams, tricks and other threats throughout the year while making it relevant and understandable to them. If we can do this, I have no doubt we will see a significant shift in the war against the cybercrime.