November 30th is International Computer Security Day. Since 1998 the day has been celebrated as a way to focus attention on – what else – computer security. I think such observances are an excellent way to tie an organization’s activities to the calendar.
This Computer Security Day I’d like to suggest you engage in some sort of security awareness event for your organization. Maybe you have teams discuss security implications of their designs or other activities. Maybe you use the organization’s newsletter as a vehicle to promote awareness.
Absent any pre-planned events or activities; one option is to use it to kick off registration for a larger security awareness event. Of course, my suggestion is registration for Learning Tree’s Security Awareness boot camp. Whether you choose Learning Tree’s option or your own, it is essential that employees understand the criticality of cyber security in any organization.
The core message for any cyber security awareness event is to stress the WIIFM – What’s In It For Me. A big part of the reason employees are slack when it comes to cyber security is that they haven’t internalized how day-to-day safe practices impact the organization and its mission. Whether it’s writing down passwords (instead of using a password manager) or clicking on a link in an email that just might be a phishing attack, people often overlook the potential danger. That’s where awareness training comes into play.
You can list good practices and bad ones until you are blue in the face, but unless folks really grasp the impact of their actions, they are less likely to comply with cyber security initiatives and policies.
I’m not a fan of most generic posters that portent to promote good cyber security practices because they fail to emphasize the impact. We need more reminders along the lines of “Loose Lips Sink Ships,” although even that lacks specificity. (To be fair, at the time almost everyone knew that there may be spies hiding in every bush and the poster was just a reminder.) If you need specifics, Cloudmark reported that “300 firms in the US and UK reported that 38% of cyber attacks in the past 12 months came from spear phishing”. You can easily find more using your favorite search engine.
Training, posters, articles, and other awareness efforts are doomed to failure if people don’t see the WIIFM. Take this opportunity to help get the need for good cyber security practices to really sink in.
To your safe computing,