October 25, 2017 By Christophe Veltsos 3 min read

Are you security-aware? A lot more people today are answering yes than in previous years. Perhaps it’s because of their organizations’ own security awareness efforts, or maybe it’s due to the influx of news stories about ransomware, credit card hacks, data breaches and identity theft. If people are more aware of cybersecurity concerns, does that mean we in security can pat ourselves on the back for a job well done?

Turning Awareness Into Security Hygiene

Unfortunately, simply being aware of cybersecurity doesn’t always translate to better behaviors. For decades, people have been aware that smoking is bad, that distracted driving can wreck your day, that eating junk can lead to heart disease and so on. However, that awareness doesn’t always lead to meaningful improvements.

As we approach another winter season, you’ll likely see reminders about proper hand-washing hygiene. But don’t we already know that sneezing in our hands spreads germs? Don’t we already know that simply running our hands under a faucet for two seconds doesn’t really eliminate much bacteria?

Changing people’s habits is a hard task, especially if you try to measure your progress over months, years or decades. People are especially bad at remembering good habits and good at coming up with new shortcuts that often involve bad habits. Charles Duhigg, author of “The Power of Habit: Why We Do What We Do in Life and Business,” stated that habits “are so strong, in fact, that they cause our brains to cling to them at the exclusion of all else, including common sense.”

Listen to the podcast: We’re All In This Together — National Cyber Security Awareness Month

11 Tips to Spread Cybersecurity Awareness Beyond October

Congratulations if, during October, you and your organization made a strong effort to showcase cybersecurity improvements as part of National Cyber Security Awareness Month (NCSAM). However, remember that we’re all human. We’ll inevitably forget, fall back into old habits and even create new bad habits with the best of intentions. That’s why it’s crucial not to forget about security during the other 11 months of the year. Continue your campaigns and reminders, and always work to improve the way you handle your employees when they misbehave.

Below are 11 suggestions to help you think about ways to continue your security awareness campaigns beyond the month of October.

  1. Incentives might work in the short term, but peer pressure works better in the long term.

  2. Gauge people’s attitudes toward cybersecurity prior to your campaign. Measure it again after the campaign, then again some time later. Did the staff’s attitude toward cybersecurity improve? If there’s a lot of resistance already ahead of a campaign, now might not be the right time. Perhaps you need to improve how you frame your messages to reduce resistance.

  3. Your awareness messages should be continuously updated, both to keep them fresh and to improve the way they resonate with people. When you’re watching television, you don’t see the same commercials year after year. Make some tweaks, then measure the impact.

  4. Who’s in charge of your campaign? Consider moving the job of spreading awareness to other departments such as HR or marketing. If you have some creative types in your organization, get them involved.

  5. Similarly, engage your employees by getting them involved with creating and sharing awareness messages. We learn best by doing and by sharing our personal stories.

  6. Consider pitting different subgroups against one another. Much like a tug of war contest, create teams and charge each one to come up with something better than the other side.

  7. Review how the organization is doing in terms of security culture. Is it all talk and no action? Is it do as I say, not as I do? Security leaders must drive home the message that cybersecurity is truly everyone’s job.

  8. Educate employees to correlate cybersecurity with the organization’s ability to achieve its business objectives and avoid fines, loss of business, reputational damage and layoffs.

  9. Without testing your employees, how can you tell if your campaigns are achieving the desired results? In a blog post, Steve Martino, vice president and chief information security officer (CISO) at Cisco, boiled this task down to education, testing and accountability.

  10. Cybersecurity isn’t just for the office environment. Review your campaign’s messaging to ensure that it provides advice and value outside of the office, whether at home, in the car, on the bus, at the airport, in a coffee shop or in a hotel room.

  11. Everyone needs constant reminders, including top executives and board directors. Given their access to sensitive data, they should be challenged as often as the rest of the staff.

Connect on a Human Level

One final note for security professionals dreaming of improving their employees’ online hygiene: It’s crucial to help users see how everyday tasks and behaviors are connected to potential security consequences. As the Harvard Business Review put it, “Connection happens when you see past the details of a task to its human consequences. When you feel connected to the moral purpose of your work, you behave differently.”

Hear more from Chris: We’re All In This Together — National Cyber Security Awareness Month

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today