One of the biggest challenges in cybersecurity is awareness and training. Whether it’s the general population or internally at an organization, it’s a struggle. The 2019 Fiserv Cybersecurity Awareness Study found that out of over 1,000 respondents, 44% were aware of cybercrimes and would attempt to protect themselves, but only when it is convenient. The same study found that one in four respondents considered themselves uninformed, and more than half said they could do more to protect themselves online. Even things as simple as changing passwords, respondents only did when they were forced to. Americans, in particular, expect the government to protect them. Increasing awareness and changing end-user behavior are critical to protect oneself in the ever-changing world of cybersecurity, this we know. But how?
Enter Lisa Plaggemier and the National Cyber Security Alliance. Plaggemier, the Interim Executive Director at the National Cyber Security Alliance, joins co-hosts Rob Aragao and Stan Wisseman, in this week’s “Reimagining Cyber” podcast episode, “Cyber – how to get people to care” Plaggemier brings a wealth of knowledge, spending the beginning of her career in Marketing, and has leveraged her marketing skills to take the complexity of cybersecurity and break it down in layman’s terms that even her 10-year-old can understand.
I am not picking up what you’re putting down.
One of the biggest challenges in raising awareness to the risks of cybersecurity and behavior change is the terminology, Plaggemier says.
“I think the militaristic language that we tend to use talking about attacks and defenses, and… you know, the average person, when you tell them they're being attacked, they get a fight or flight response,” she says. “If they're not a security professional, they want to run away, they do not want to fight.”
By shifting the cyber imagery and language from things like attackers, hackers in hoodies, and aggressive language, to easy-to-understand nomenclature like quick, easy, and peace of mind, people are more apt to understand why online protection is important and what’s in it for them. Making it matter to them, will drive behavioral change.
Eat your vegetables – But make it fun
Everyone dreads mandatory online training. Instead of forcing employees to take online training, Plaggemier suggests using a pre-test to gauge end-user’s understanding of cybersecurity. Those that receive a perfect score don’t have to take the training. When Plaggemier has used this in the past, it unexpectedly caused quite a bit of employee engagement, as employees that missed by one point or one question would want to discuss their score and the questions, giving the security team an opportunity to clarify confusion and for employees to show their understanding and knowledge.
“You have to serve up content, whether it's awareness content or training that truly is engaging,” Plaggemier says. “And guess what the judge of whether or not it's engaging is? It's the employee. It's not you.”
By thinking outside-of-the-box and doing things that haven’t been done before within your organization, whether it’s leveraging a training platform, creating a video series, or gamifying training, the more engaged you can get your employees, the better.
So, where do you start?
Sometimes, just getting started can be difficult. “Inertia can be such a killer, right?” Plaggemier says. “Not letting perfection be the enemy of good is one of my favorite phrases,” she says. Don’t wait for policies, or a security plan, or a mature program. You just need to take the first step. Start with something like phishing, which affects everyone.
The National Cyber Security Alliance offers a lot of great resources to help you get started:
- Resource Library
- Video: How To Secure Your Online Life
- Ransomware Responsibility
- Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2021
Bringing awareness and changing behavior can be an overwhelming prospect. It’s important to remember to put things in layman’s terms, focus on “what’s in it for them,” and to make it fun.
Have you used any of these tips? Share in the comments below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.