February 9, 2018 By David Strom 3 min read

The issue of cyber literacy as a way to improve defenses against future attacks has received a lot of attention lately. This notion isn’t exactly new: A 1994 article from The New York Times mentioned the need to promote cyber literacy, quoting then-Wired editor Kevin Kelly, who spoke of “a different kind of literacy based on a melange of digital information.”

What is new, however, is how a business might implement the specifics of a literacy program and determine who exactly will be on the receiving end of this effort. Tripwire noted that educating executives about cybersecurity can help companies prepare for a potential security breach. While that may be true, there is a bigger issue at stake — namely, our end users’ cybersecurity knowledge and practices.

Measuring Cyber Literacy by the Numbers

Part of the problem is defining what it means to be cyber literate to begin with. Recently, a Tenable survey showed that, although virtually all respondents had heard about data breaches, many have failed to change their security habits. This could stem from ignorance, denial or a misunderstanding of their role in protecting data.

The survey also found that only about one-quarter of employees use multifactor authentication (MFA), and just one-third have reduced their use of open Wi-Fi hotspots as a result of stories describing security compromises. In addition, 45 percent of respondents use a personal identification number (PIN) to lock their laptops and other mobile devices, and 19 percent use some form of biometric tools such as fingerprint or facial recognition.

This is alarming because most of these activities, like the cyber literacy discussion itself, have been around for decades. Given these results, what can security leaders do to promote improved cyber literacy across the user population?

Promoting Secure Behavior Across the Enterprise

First, you should practice what you preach and demonstrate how to use MFA for personal accounts, such as Facebook, Google and Paypal. All of them now implement MFA methods, and even if you don’t have it for any corporate apps, you should still use MFA personally and encourage others to do so as well.

Next, regularly remind users to update their apps, operating systems and browser versions, even on their home computers and phones. According to the survey, 13 percent of computer users wait more than a week to update the apps on their computer, while 3 percent wait a month and 5 percent fail to update at all. Enterprise update policies are certainly important, but you should also educate your users about the risks of having out-of-date equipment.

If your company doesn’t yet use password managers or single sign-on (SSO) tools, now is the time to implement them. These solutions can cut down on password reuse, which is often the best way for cybercriminals to infiltrate your networks. While we all have too many passwords to manage, automated tools such as these can help us stop relying on our insecure go-to passwords.

Transparency and Trust

These are all great starting points, but it takes more than technology to improve cybersecurity literacy. For example, one of the most important considerations is corporate culture. Security leaders should endeavor to make the company more accountable and transparent in its response to data breaches. Look to organizations that have had success in this area and use those examples to convince upper management to do the same. As part of this transparency effort, you should strive to take better care of your customer data in terms of how it is used, stored and accessed by your employees.

Finally, we need to examine how to establish more trust between the chief security officer (CSO), employees at every level of the company and top management. This comes down to building mutual trust with key stakeholders and fostering strong relationships with the right people.

By educating employees, acquiring the right tools to help them develop more secure habits, and imploring top leadership to increase accountability and transparency in their response to data breaches, security leaders can finally make progress in the decades-long effort to promote cyber literacy throughout the enterprise and across our increasingly connected digital world.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today