“Let me hold off on what I was doing so I can install this security update” — No one ever
Raising awareness and training employees on cybersecurity is hard. It’s draining. It’s thankless. And all too often, it’s ineffective. A big part of the problem is that we approach it with unrealistic expectations, and with tactics and messaging that may resonate with us, but not our audience. As a result, there’s often a disconnect between our security-minded priorities and those of the rest of the company.
In an ideal world, we’d be recognized by management and co-workers as the esteemed guardians of information and sage-like purveyors of critical know-how we clearly are.
These are practical, actionable, tips that actually stand a chance of working in the real world. Check out a preview of a few of the tips below, and download the full guide here.
Tip #1: Passwords
Try this, instead:
“Explain that password managers are our friends.”
Microsoft Regional Director and Most Valuable Professional for Developer Security, Pluralsight author, and international speaker Troy Hunt explains why:
"Strong, unique passwords are a necessity, but by that very definition they’re not memorable. Passwords managers are the answer as they allow you to create one strong, unique password (which we can memorize), which protects and encrypted collection of other strong, unique passwords (which we can’t memorize en mass)."
"No one likes to feel fooled. When it comes to mock attacks and penetration tests, make sure to communicate your plans a few weeks in advance so that you don’t ruin your phishing tests and follow up with users right away. Right after telling them they made a mistake, use a constructive message that encourages them to view the exercise as a positive learning experience rather than a failed test or a gotcha. Then provide more in-depth training so that they have the knowledge to avoid the next attack."
Tip #3: Computer-Based Training (CBT)
Try this, instead:
“Consider CBT just one of many tools in your tool box.”
"If you wanted to learn how to box you would go to a boxing gym. The trainer would set you up with protective gear and then tell you how to deliver a punch and take a punch. You would never step into the ring unprotected till you were ready.
"Can you imagine if you walked into the gym and the trainer sat you down and showed you a 20 minute CBT then said, 'Okay, you ready?' Of course not, that’s ridiculous.
"Well, your people are entering the ring right now, and they have never stepped into the ring and they are not ready or prepared. We encourage each company to have realistic phishing tests that show what it is like to get phished (take the punch) and how to report it properly (give the punch). CBT’s have their place as part of training, but they will not fix the problem."