Employees Must Wash Hands: 11 Tips to Translate Awareness Into Better Security Hygiene

Are you security-aware? A lot more people today are answering yes than in previous years. Perhaps it’s because of their organizations’ own security awareness efforts, or maybe it’s due to the influx of news stories about ransomware, credit card hacks, data breaches and identity theft. If people are more aware of cybersecurity concerns, does that mean we in security can pat ourselves on the back for a job well done?

Turning Awareness Into Security Hygiene

Unfortunately, simply being aware of cybersecurity doesn’t always translate to better behaviors. For decades, people have been aware that smoking is bad, that distracted driving can wreck your day, that eating junk can lead to heart disease and so on. However, that awareness doesn’t always lead to meaningful improvements.

As we approach another winter season, you’ll likely see reminders about proper hand-washing hygiene. But don’t we already know that sneezing in our hands spreads germs? Don’t we already know that simply running our hands under a faucet for two seconds doesn’t really eliminate much bacteria?

Changing people’s habits is a hard task, especially if you try to measure your progress over months, years or decades. People are especially bad at remembering good habits and good at coming up with new shortcuts that often involve bad habits. Charles Duhigg, author of “The Power of Habit: Why We Do What We Do in Life and Business,” stated that habits “are so strong, in fact, that they cause our brains to cling to them at the exclusion of all else, including common sense.”

Listen to the podcast: We’re All In This Together — National Cyber Security Awareness Month

11 Tips to Spread Cybersecurity Awareness Beyond October

Congratulations if, during October, you and your organization made a strong effort to showcase cybersecurity improvements as part of National Cyber Security Awareness Month (NCSAM). However, remember that we’re all human. We’ll inevitably forget, fall back into old habits and even create new bad habits with the best of intentions. That’s why it’s crucial not to forget about security during the other 11 months of the year. Continue your campaigns and reminders, and always work to improve the way you handle your employees when they misbehave.

Below are 11 suggestions to help you think about ways to continue your security awareness campaigns beyond the month of October.

  1. Incentives might work in the short term, but peer pressure works better in the long term.

  2. Gauge people’s attitudes toward cybersecurity prior to your campaign. Measure it again after the campaign, then again some time later. Did the staff’s attitude toward cybersecurity improve? If there’s a lot of resistance already ahead of a campaign, now might not be the right time. Perhaps you need to improve how you frame your messages to reduce resistance.

  3. Your awareness messages should be continuously updated, both to keep them fresh and to improve the way they resonate with people. When you’re watching television, you don’t see the same commercials year after year. Make some tweaks, then measure the impact.

  4. Who’s in charge of your campaign? Consider moving the job of spreading awareness to other departments such as HR or marketing. If you have some creative types in your organization, get them involved.

  5. Similarly, engage your employees by getting them involved with creating and sharing awareness messages. We learn best by doing and by sharing our personal stories.

  6. Consider pitting different subgroups against one another. Much like a tug of war contest, create teams and charge each one to come up with something better than the other side.

  7. Review how the organization is doing in terms of security culture. Is it all talk and no action? Is it do as I say, not as I do? Security leaders must drive home the message that cybersecurity is truly everyone’s job.

  8. Educate employees to correlate cybersecurity with the organization’s ability to achieve its business objectives and avoid fines, loss of business, reputational damage and layoffs.

  9. Without testing your employees, how can you tell if your campaigns are achieving the desired results? In a blog post, Steve Martino, vice president and chief information security officer (CISO) at Cisco, boiled this task down to education, testing and accountability.

  10. Cybersecurity isn’t just for the office environment. Review your campaign’s messaging to ensure that it provides advice and value outside of the office, whether at home, in the car, on the bus, at the airport, in a coffee shop or in a hotel room.

  11. Everyone needs constant reminders, including top executives and board directors. Given their access to sensitive data, they should be challenged as often as the rest of the staff.

Connect on a Human Level

One final note for security professionals dreaming of improving their employees’ online hygiene: It’s crucial to help users see how everyday tasks and behaviors are connected to potential security consequences. As the Harvard Business Review put it, “Connection happens when you see past the details of a task to its human consequences. When you feel connected to the moral purpose of your work, you behave differently.”

Hear more from Chris: We’re All In This Together — National Cyber Security Awareness Month

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...