sb-as logo
Story image

Why a cybersecurity awareness week is just not enough

24 Jul 2018

From personal privacy to online scams, it seems almost every IT security-related issue now has its very own awareness week. Incorporating everything from television ads to banners on buses, the campaigns are designed to push messages directly at consumers.

However, while such weeks might go some way to lifting security awareness, they don’t go far enough. Simply reminding someone of the issues once a year - while a good thing - is really only the start.

The challenge stems from the fact that people have very short-term memories. They also don’t learn from the mistakes of others, but only from those they make themselves.

For example, a campaign in January might stress that all office staff should change their passwords on a regular basis. Yet, experience shows that half of them will have forgotten this advice by February and another half by March. Most will ignore the advice until they fall victim to a scammer.

The same holds true when it comes to opening rogue attachments or plugging in stray USB sticks. An awareness campaign might alert people, but many will just as quickly forget about the risks until they infect their own PC.

Getting the message through

In most cases, IT security messages not yet ingrained in people’s mindsets and so need to be enforced, however the challenge is finding a way to do this.

One approach would be to have the messages coming from multiple parties throughout the year rather than a single week-long awareness campaign. A series of campaigns could be mounted by banks, supermarkets, credit card providers and phone companies that constantly reinforce the same basic security messages. Repetition can be very effective.

Some may think there’s a risk that, faced with constantly being told the same thing, people will suffer message fatigue and switch off.  But if those messages are coming in different forms from different sources, the importance of IT security might just get through.

There’s also an argument for making the messaging itself more hard-hitting. In the past, successful road safety campaigns have used graphic footage of accidents and anti-smoking campaigns have contained images of damaged lungs. A similar approach to IT security could show the dire financial implications of having your identity stolen or your business shut down by ransomware.

A sales-free zone

Unfortunately, many IT security campaigns have tended to be little more than thinly veiled advertising for products or services. A security company will paint a scary picture of what might happen to you and then finish with the solution: buy our product and all will be well.

Effective campaigns need to steer away from selling and focus instead on the implications of not taking action. Once people understand the real-world problems they can face if they don’t take IT security seriously, they’ll be more likely to take the steps required to improve their own circumstances.

Awareness weeks are worthwhile, but they need to be augmented by other things. These could include targeted, government-funded advertising campaigns as well as campaigns funded by business that don’t contain a sales push. Scheduled to run throughout the year, they will help to get the messages across to larger numbers of people.

As awareness increases over time, it might even be worth establishing a national cybersecurity commission that would fulfil a role similar to a road safety commission. This body could coordinate campaigns nationally to ensure messages were reaching as many people as possible throughout the year.

Just as safety messages like ‘wear a seatbelt’ and health messages like ‘give up smoking’ took years to become mainstream, so ‘change your password’ and ‘don’t open strange attachments’ will have to follow a similar path.

Article by CQR Consulting co-founder Phil Kernick.

Story image
IBM report: Security response improving - containing attacks, not so much
“While more organisations are taking incident response planning seriously, preparing for cyber-attacks isn’t a one and done activity."More
Story image
Businesses move to cloud-based security solutions in a bid to support remote working
Cloud-based security tools are becoming increasingly popular following the rise in remote working during COVID-19, including a marked increase in businesses using such tools to protect of corporate financial information.More
Story image
Phishing attack exploited Samsung, Adobe servers for Office 365 credentials
The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.More
Story image
Attivo Networks raises the stakes against 'Ransomware 2.0'
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data."More
Story image
APAC parents hide internet activity from children more than cyber attackers
A new report from Kaspersky has turned a modern trope - that teens have things to hide in their internet history - on its head, by proving the opposite is also true.More
Story image
Interview: Checkmarx on the state of software security in Asia Pacific
"While the benefits of software are obvious, this proliferation also creates a massive and ever-evolving attack surface,” says Checkmarx A/NZ country manager Raygan Flores.More