Attack the Heart to Improve Security
Amar Singh
CEO, CISO, Cyber Crisis & Incident Response Practitioner, Speaker & Co-Founder Cyber Management Alliance. Without Passion - We are but Machines
Nope, this is not another article on Heartbleed. The heart has been bled almost dry, so, read on, dear reader.
Let's be honest, put your hands up (not if you are reading this in the cinema or anywhere where you should not put your hands up) if you are always super excited and keen on clicking through boring websites or watching passionless video clips. You get the point.
The current approach or what I call the "You are now inducted and aware of our policies so we can sack you" approach just does not work. No one remembers or wants to remember the policy you forced them to read.
Education and to an extent awareness, are, in my opinion, long term initiatives that involve changing long held beliefs (such as: I don’t need a password) and behaviour (do I really need to lock my PC when I got to the bathroom? or what’s wrong with using one password for all accounts?) Consequently, organisations need to complement their short term, training based approach with a longer term, regular and consistent awareness and education programme on cyber (or information) security. I use the word cyber because even CEOs now kind of get cyber.
Importantly, organisations need to reconsider their approach when engaging their employees on cyber security. What approach? The traditional and I insist, boring approach of forcing (all right, strongly encouraging) employees to click through boring screens that say "you shall not blah blah..."
If not Boring, Expensive Intranet Sites, What Then?
I say, and have been saying for sometime now, attack the heart. Not literally of course!. This is just a metaphor! How about I rephrase that and said, address the heart of your employees.
Address the personal cyber life of your employees, not the boring corporate aspects. Given that today, most people have a considerable personal cyber life coupled with the fact that most cyber attacks are launched using the social media realm in cyberspace, it makes sense for most organisations to educate their users on how to protect their personal cyber space.
For example, organisations could educate users and increase awareness on:
- Why and how they should use strong and unique passwords and usernames on their personal Linkedin, Facebook and twitter accounts,
- Why their users should use a password manager to manage their passwords and cyber identities,
- Why and how clicking phishing emails like those asking for username and passwords could lead to direct personal impacts like bank fraud.
- In addition falling victims to phishing emails that steal usernames and passwords could compromise their other cyber identifies
- Why and how by being a tad bit cautious with the submit button on social media sites like twitter, could save future embarrassment or even save careers of both employees and their children.
Note: An organisation could also deliver key policy messages during these campaigns, including messages from the information security policy and the acceptable use policy.
This approach would benefit both the organisation and the employee as the behaviours being encouraged in the personal cyber life are mostly the same for today’s corporate cyber space.
Customer Experience Manager
10 年Couldn't agree more!