There is no work-life balance in cybersecurity — part III
3 steps to engage employees in cyber hygiene
I have written about my journey to understand how we deal with cybersecurity. First, I raised attention to the actions we perform online and how blurry the boundaries of digital trust can be. Next, I tried to figure out how to define responsibilities for information security. Now, the last part of this series captures my experiences in engaging employees in cybersecurity.
Part I — Where are the boundaries of trust?
Part II — From board meetings to daily tasks, who owns cybersecurity risk for the company?
1 — We are driven by convenience (cut to the chase)
The biggest challenge to convey a message is to make it as simple as possible. The first impulse that I had to make people interested in safer online practices was to stress the risks and threats that they are exposed to. But presenting the problem doesn’t eliminate the fact that increasing fear without offering convenient solutions just creates more repulse towards efficient protection. We like to access information 24/7 without many steps, from shorter access codes to facial recognition. No more warning signs, just messages letting me know what are the risks I am now exposed to.
2 — Making it personal (and inter-personal)
Informing people about what they should and should not do online is close to patronizing. It is difficult to focus on something that is said to be important but has been defined as such by someone else. First, we need to accept that the information is relevant and concern us. In the second article, I mentioned that standard awareness campaigns struggle to show the connection between daily activities, responsibilities and the pitfalls that could affect our work and business. The other aspect of safer online practices is about expanding the circle of protection. More than taking care of our own assets, it makes sense to protect our family and friends as well. Expanding the good practices and awareness to reach people around us elevates the activity from “just a checklist” to a far-reaching positive loop of protection.
3 — Rewards and tracking (support and feedback)
When people don’t see immediate results from a piece of advice or information, rewards can help to get their attention. Many times the absence of motivation from people to understand high-risk online behavior is just a lack of ability. Rewards like movie tickets and day-off are cheap if they help to avoid bad online decisions and resulting fallout to the companies. Training is often measured only though participation or test scores. But when awareness and behavioral change is the objective, gathering feedback from the participants can lead to a better understanding of how the content is seen and also their level of engagement. Not just numbers, but real answers from the training campaign, offering rewards and raising feedbacks. Another aspect is to offer users support for better future decisions. Advice that pushes responsibility and workload to the user’s shoulders can backlash against the initial purpose of raising awareness. We must offer help towards this journey of improvement.
To make security information accessible for everyone, we at Badrap are working to make the “weakest link” in information security stronger — individuals. We developed a free platform that connects the findings of security researchers to help people check if their credentials or devices are exposed online. Sign up for free at badrap.io
After having seen the positive impact of interactive training, personal approach, and rewards & tracking in raising cybersecurity awareness we are also now helping companies with the Cyber Hygiene Campaign. We offer an online awareness campaign that helps protect your business and connects your employees with our platform. You can try it out at hygiene.badrap.io
