February 9, 2018 By David Strom 3 min read

The issue of cyber literacy as a way to improve defenses against future attacks has received a lot of attention lately. This notion isn’t exactly new: A 1994 article from The New York Times mentioned the need to promote cyber literacy, quoting then-Wired editor Kevin Kelly, who spoke of “a different kind of literacy based on a melange of digital information.”

What is new, however, is how a business might implement the specifics of a literacy program and determine who exactly will be on the receiving end of this effort. Tripwire noted that educating executives about cybersecurity can help companies prepare for a potential security breach. While that may be true, there is a bigger issue at stake — namely, our end users’ cybersecurity knowledge and practices.

Measuring Cyber Literacy by the Numbers

Part of the problem is defining what it means to be cyber literate to begin with. Recently, a Tenable survey showed that, although virtually all respondents had heard about data breaches, many have failed to change their security habits. This could stem from ignorance, denial or a misunderstanding of their role in protecting data.

The survey also found that only about one-quarter of employees use multifactor authentication (MFA), and just one-third have reduced their use of open Wi-Fi hotspots as a result of stories describing security compromises. In addition, 45 percent of respondents use a personal identification number (PIN) to lock their laptops and other mobile devices, and 19 percent use some form of biometric tools such as fingerprint or facial recognition.

This is alarming because most of these activities, like the cyber literacy discussion itself, have been around for decades. Given these results, what can security leaders do to promote improved cyber literacy across the user population?

Promoting Secure Behavior Across the Enterprise

First, you should practice what you preach and demonstrate how to use MFA for personal accounts, such as Facebook, Google and Paypal. All of them now implement MFA methods, and even if you don’t have it for any corporate apps, you should still use MFA personally and encourage others to do so as well.

Next, regularly remind users to update their apps, operating systems and browser versions, even on their home computers and phones. According to the survey, 13 percent of computer users wait more than a week to update the apps on their computer, while 3 percent wait a month and 5 percent fail to update at all. Enterprise update policies are certainly important, but you should also educate your users about the risks of having out-of-date equipment.

If your company doesn’t yet use password managers or single sign-on (SSO) tools, now is the time to implement them. These solutions can cut down on password reuse, which is often the best way for cybercriminals to infiltrate your networks. While we all have too many passwords to manage, automated tools such as these can help us stop relying on our insecure go-to passwords.

Transparency and Trust

These are all great starting points, but it takes more than technology to improve cybersecurity literacy. For example, one of the most important considerations is corporate culture. Security leaders should endeavor to make the company more accountable and transparent in its response to data breaches. Look to organizations that have had success in this area and use those examples to convince upper management to do the same. As part of this transparency effort, you should strive to take better care of your customer data in terms of how it is used, stored and accessed by your employees.

Finally, we need to examine how to establish more trust between the chief security officer (CSO), employees at every level of the company and top management. This comes down to building mutual trust with key stakeholders and fostering strong relationships with the right people.

By educating employees, acquiring the right tools to help them develop more secure habits, and imploring top leadership to increase accountability and transparency in their response to data breaches, security leaders can finally make progress in the decades-long effort to promote cyber literacy throughout the enterprise and across our increasingly connected digital world.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today