It’s often said that humans are the weakest link in cybersecurity. Indeed, I’d have a hard time arguing that a computer that was sealed in a box, untouched by human hand, poses much of a security risk. But a computer that is unused has no purpose. It behooves security practitioners to get smarter about how we teach people to use those machines so that both humans and computers can work together to safely accomplish greater things. This month is National Cybersecurity Awareness Month, which is an event designed around educating people on how to avoid contributing to security emergencies. If you’re working in cybersecurity, this subject is probably never far from your mind. But as an industry, we still have a lot to learn about how to educate people effectively. Here are a few ways you can tweak your existing security awareness programs to be more effective.
Go where the people are
Most of us have a pretty “one size fits all” approach to security awareness, which is not the most effective way to go about things. Different jobs necessarily have different functions and have different needs. Malware analysts, for example, would have a very hard time doing their job if they followed standard security advice. It’s just assumed that they are an exception to the usual rules, and they’re given environments that allow them to do their job safely. But they aren’t the only ones in most organizations whose normal daily functionality requires them to do things that seem to fly in the face of traditional security hygiene recommendations. People working in HR and Accounting are often required to open unexpected attachments, which is a big security risk when it’s done without adequate security precautions. People whose jobs require “unsafe” behavior will ignore our advice, and likely other suggestions, if they feel that their job requires an exception. Make sure you do a walk-through with staff to figure out what their job actually entails so that you can help them to do it securely. This excellent guidebook called Cybersecurity is Everyone’s Job (which was co-written by Tripwire’s own Maurice Uenuma) has sections that focus on how staff from each area of a company can help contribute to a more cyber-secure work environment.
Use positive language
“Don’t reuse passwords or write them down.” “Don’t click unexpected links.” “Don’t leave your computer unattended.” What do these statements have in common? These are all common security recommendations, and they also give no explanation of what people are actually supposed to do. Clearly, the first one means we should come up with unique passwords,and then somehow remember them all. And then we should delete messages with links that might be unsafe, even if we might get in trouble because they were something important. And then we’re meant to lock our computers when some unspecified definition of “unattended” is met. We need to give people positive messages that specify what steps they need to do to perform their job safely with clear definitions of terms. Try using instructions such as: "Use a password manager to automatically generate strong, unique passwords." “Use this virtual environment we've set up for you so that you can click links and files safely." “Lock your machine as soon as you leave the room, even if it’s only for a moment.”
Make your messages sticky
Most of us can think of catchy phrases we learned as kids that taught us to behave more safely, such as "stop, drop & roll" for fire safety. The phrase by itself doesn’t give us a lot of information; it’s meant as a way to anchor a more complex set of instructions so that we can bring them to mind even in an emergency. This is a tactic that is supremely useful for cybersecurity awareness messaging, too, but it’s a bit of an art and a science that is not something most tech folks find comes naturally. Thankfully, we have some help in this regard. Stop Think Connect has come up with a list of data-backed security awareness messaging campaigns which were tested on laypeople to ensure their effectiveness. These phrases — such as “lock down your login” and “when in doubt, throw it out” — are meant to stick in people’s heads so that they can recall more complex, technical instructions when they need them most. You can find more about those phrases and their explanations here: https://stopthinkconnect.org/resources/preview/tip-sheet-basic-tips-and-advice. In the end, improving security awareness is about learning we can educate people more effectively. This requires us to listen and understand the perspectives of those we’re trying to teach, including what they need to access in order to do their jobs. Saying that “humans are the weakest link” is not the end of the conversation; it’s the beginning. Once you’ve identified a point of vulnerability, that’s when you can start learning more about it in order to help solve the problem.
About the Author: Lysa Myers began her cybersecurity career in a malware research lab in the weeks before the Melissa virus outbreak in 1999. She watched as the Internet grew from small, local bulletin board systems to the World Wide Web and computer security incidents evolved from virtual urban myth to daily reality. As the landscape has changed, she’s seen how both cybersecurity hiring and education efforts have not quite kept pace, creating a talent gap that continues to widen. Since then, Myers has used her experiences to help spread awareness of what people can do to develop an effective and inclusive security culture. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
