The issue of cyber literacy as a way to improve defenses against future attacks has received a lot of attention lately. This notion isn’t exactly new: A 1994 article from The New York Times mentioned the need to promote cyber literacy, quoting then-Wired editor Kevin Kelly, who spoke of “a different kind of literacy based on a melange of digital information.”
What is new, however, is how a business might implement the specifics of a literacy program and determine who exactly will be on the receiving end of this effort. Tripwire noted that educating executives about cybersecurity can help companies prepare for a potential security breach. While that may be true, there is a bigger issue at stake — namely, our end users’ cybersecurity knowledge and practices.
Measuring Cyber Literacy by the Numbers
Part of the problem is defining what it means to be cyber literate to begin with. Recently, a Tenable survey showed that, although virtually all respondents had heard about data breaches, many have failed to change their security habits. This could stem from ignorance, denial or a misunderstanding of their role in protecting data.
The survey also found that only about one-quarter of employees use multifactor authentication (MFA), and just one-third have reduced their use of open Wi-Fi hotspots as a result of stories describing security compromises. In addition, 45 percent of respondents use a personal identification number (PIN) to lock their laptops and other mobile devices, and 19 percent use some form of biometric tools such as fingerprint or facial recognition.
This is alarming because most of these activities, like the cyber literacy discussion itself, have been around for decades. Given these results, what can security leaders do to promote improved cyber literacy across the user population?
Promoting Secure Behavior Across the Enterprise
First, you should practice what you preach and demonstrate how to use MFA for personal accounts, such as Facebook, Google and Paypal. All of them now implement MFA methods, and even if you don’t have it for any corporate apps, you should still use MFA personally and encourage others to do so as well.
Next, regularly remind users to update their apps, operating systems and browser versions, even on their home computers and phones. According to the survey, 13 percent of computer users wait more than a week to update the apps on their computer, while 3 percent wait a month and 5 percent fail to update at all. Enterprise update policies are certainly important, but you should also educate your users about the risks of having out-of-date equipment.
If your company doesn’t yet use password managers or single sign-on (SSO) tools, now is the time to implement them. These solutions can cut down on password reuse, which is often the best way for cybercriminals to infiltrate your networks. While we all have too many passwords to manage, automated tools such as these can help us stop relying on our insecure go-to passwords.
Transparency and Trust
These are all great starting points, but it takes more than technology to improve cybersecurity literacy. For example, one of the most important considerations is corporate culture. Security leaders should endeavor to make the company more accountable and transparent in its response to data breaches. Look to organizations that have had success in this area and use those examples to convince upper management to do the same. As part of this transparency effort, you should strive to take better care of your customer data in terms of how it is used, stored and accessed by your employees.
Finally, we need to examine how to establish more trust between the chief security officer (CSO), employees at every level of the company and top management. This comes down to building mutual trust with key stakeholders and fostering strong relationships with the right people.
By educating employees, acquiring the right tools to help them develop more secure habits, and imploring top leadership to increase accountability and transparency in their response to data breaches, security leaders can finally make progress in the decades-long effort to promote cyber literacy throughout the enterprise and across our increasingly connected digital world.