See if you agree with this statement: Cybersecurity awareness is a continuing effort, not a month-long cram session.
Motivations to keep it going year-round are compelling.
In today’s connected environment, there are a large number of evolving cyber threats putting your organization at risk. At the same time, seemingly endless scams can financially impact your end-users and even your personal life.
There is something else, too: There is always something new to learn about cyber threats. This can rapidly overwhelm colleagues who might not be as familiar with Cybersecurity 101 practices.
If these things are true, how do we share information with others in a way that is proven to work and create a culture of security?
Alyssa Miller, Business Information Security Officer (BISO) for S&P Global Ratings, presented on the importance of threat modeling at the 2021 Women in CyberSecurity (WiCyS) conference, and the quote below is one that consistently rings true about education and collaboration to get ahead of security risks.
“I don’t care how you collaborate, what’s important is that you collaborate. Collaboration is where you get the value…. Maybe your [team/organization] doesn’t realize how critical a particular function is in terms of availability. Collaboration is what makes that happen.
These [insights] are the kinds of things we need to be capturing, but we can’t capture them in these crazy words like spoofing, tampering, and repudiation. Because we in security are the only people for whom those words have any meaning. It doesn’t do anybody else any good.”
In simple terms, not everyone can be a technical guru, so finding more approachable ways to make cybersecurity seem less intimidating will always be a winning strategy.
SecureWorld recently invited three experts on this topic to speak, and they broke down how their organizations built engaging campaigns to better promote cybersecurity awareness for the long haul, not just for today.
The results of using the outlined approaches also improved participation and reduced risk, too.
Our guests included: Cindy Liebes, Chief Program Officer for the Cybercrime Support Network; Jake Wilson, Security Awareness Evangelist for Western Governors University; and Gretel Egan, Senior Security Awareness and Training Strategist for Proofpoint.
Representation of each guest comes from the private, non-profit, and education sectors, so there is sure to be helpful advice for everyone who tunes into the discussion, which is available on-demand here. Bonus: It may also be eligible for CPE credits for your certifications.
In this valuable SecureWorld Remote Sessions webcast, the hosts tackled many ways you can bring awareness to your organization and your life. And this panel discussion delved into so many subjects, it would be impossible to fit it all on this post. It was also a lot of fun.
Here are some key highlights.
1. Keep it simple, make it matter
In short, people need to know why cybersecurity best practices matter.
Referring back to Alyssa Miller, collaboration is the value, so it’s important to point out not just the how but the why. What ideas are necessary for the people you are working with to understand, how can you help them understand, and why is it important for them to implement certain procedures in plain English?
Proofpoint’s Gretel Egan echoed this point, as well. She says when people realize what they are learning in cybersecurity are transferrable life skills, they are more likely to find value.
“They [users] have to get a sense that this [training] isn’t just an exercise that is designed to deliver change that will never really matter to them. It’s just not the case. I talked in the beginning about cybersecurity skills being life skills. The more that you can make it clear to users that what you’re asking them to learn about is portable, is shareable, can make a significant change for the better in their life and the lives of the people that they care about.”
Cindy Liebes of the Cybercrime Support Network relayed some facts about why the topic of cybercrime is important, as well, which you can share with others to show why vigilance is critical.
“The impact of an online scam is devastating not only financially, but it’s devastating emotionally to the people or the organizations that are impacted. It’s said that one in four adults are impacted by cybercrime, and the FBI, in 2020, said over almost 800,000 people reported that they were the victims of a cybercrime, and also $4.2 billion of losses were reported.”
2. Release bite-sized, creative training experiences
In an effort to keep things simple, Egan also recommends creating small, three-minute videos because this makes training more manageable.
“Think about three minutes or less of a training assignment. So you’re focusing on a specific topic, and you’re delivering bite-sized training that really focuses the user on the conversation at hand….
It’s not just about pulling everyone in for an hour and talking about every possible cybersecurity problem that your organization faces and trying to fit that all into an hour. It’s really about spreading out the conversation, giving flexible, interesting information that people can access.”
3. Show colleagues, family members, and friends your knowledge
The more we can talk about cybersecurity, the more we can build security advocates.
“They [users] can share [knowledge] with their parents, they can share with younger children. That’s something that I actively do. I talk to my kids very regularly about cybersecurity, and I’m able to do that because of what I’ve learned,” said Egan.
Here’s some helpful knowledge: One of the most troubling statistics we see time and time again at SecureWorld is how low reporting of cybercrime is across the country. The reasons for that may vary. It could be fear, a resolution nothing will happen, or even that individuals of SMBs simply do not know how or where to report.
Liebes points out that annual cybercrime losses, including unreported crimes, could total $380 billion. It is important to share the value of reporting and how regular folks can take matters into their own hands.
“When you’re an individual, reporting to the FTC [Federal Trade Commission], the FBI, the State Attorney General’s Office is critical. You might say, ‘Why bother reporting? It’s really difficult to catch the person that did it. It’s very difficult to get my money back that well.’
Although by reporting, that’s how the FTC, that’s how the FBI, and that’s how the State Attorney General brings their law enforcement actions to find and stop those that are committing internet fraud. Reporting is also important so that you can see trends, that you can see what is happening when it’s happening. So, reporting is vital.”
Liebes ended on an encouraging note.
“I’m hoping all of you will agree to volunteer and to help make others secure.”
4. Make cybersecurity fun through games and voluntary events
People are more likely to participate if an event seems fun, not if it feels like more mandatory work.
Jake Wilson of Western Governors University is an advocate of finding creative ways, such as games, to up voluntary attendance.
“We [WGU] released games about phishing where they [users] could go in and drag and drop stuff. These interactive things, watching videos, are voluntary. You’d be surprised at the level of engagement that you’ll give your employees when you release stuff that’s just completely voluntary.
That’s going to help them not only in their organization, their organization server, but also in their personal life. So that’s one takeaway to start thinking about, and try not to make it required training in October.”
Egan also explains a fun way her organization is getting into the spirit of making cybersecurity less scary.
“We had done a campaign last year, I believe it was the Cybersecurity Backstage Pass, where we came up with a couple of fun little things where we changed the lyrics [of a song] into security-themed lyrics. So, something like a World Music Day that maybe you don’t think on the surface can be used to discuss cybersecurity, that does become something that’s interesting and humorous.”
According to both Wilson and Egan, promoting lesser known cybersecurity social media holidays, like Data Privacy Day and Digital Spring Cleaning, can help boost interaction, too.
5. Take advantage of free resources
Creating your own content can feel like an overwhelming chore, and you may not have the bandwidth to do it. The good news is that you do not have to do it on your own.
Wilson says there are many ways to connect with free tools, even from major organizations.
“I know it’s not always fun to receive a bunch of newsletters from different organizations, but if you subscribe, don’t be surprised when they release Cyber Awareness Month toolkits, videos for free, template communications, free-to-use games where you could go out there and direct your employees to other sites, or something like that. So don’t be overwhelmed trying to create your own content.”
If you have read this far, you are already capitalizing on one of SecureWorld’s free resources: posts by the SecureWorld News team. Scroll to the bottom of this article and click on the “Security Awareness” topic tag for a long list of posts that can also help.
6. Tap associates and connections to host a special speaking event
Going back to the idea of free information, Wilson says you would be surprised how many people will offer their time to speak on topics they are passionate about.
“Now, one of the things that people automatically asked, ‘How am I going to host a virtual summit? I don’t even have a budget.’ We actually did that with a budget of zero dollars. There are a ton of speakers out there that are willing to come into your organization, talk to your employees about cybersecurity and various different topics, completely free of charge. Go out there and search LinkedIn, look at some of your contacts, and send them a note. See if they’re willing to do it.”
Our own Tom Bechtold, Digital Director for SecureWorld and host of this webinar, agrees that many cybersecurity leaders will volunteer for speaking engagements. The InfoSec community is extremely collaborative.
7. Save inspiring content all year long for events next time
Creating folders for your hot-button topics can make it a lot easier to rehash that material later, according to Wilson.
“What I always do is I save content throughout the year. I can go into my [saved] folders, and find our folder on social engineering. The list goes on and on and on. Ransomware. Every single thing you can think of, I can go in there right now [and find resources].”
8. Survey your people and focus on areas of cybersecurity weakness in your organization
Egan and Wilson both believe getting feedback through the use of surveys can be a good way to get a grasp on whether your employees are really understanding important subjects in cybersecurity.
“If you have the ability to survey the organization, how did they respond to what you did? Is there something that they would have liked to see that was not there? It’s also a great time to ask people how they feel about the security culture of the organization.
And what do I mean by different cultural segments? It’s about assessing knowledge about cybersecurity, certainly. But you also want to really take the temperature within your organization and figure out what do people really feel about cybersecurity?” said Egan.
Wilson says surveys can be successful when not overdone.
“I know everybody uses surveys. They are probably overused, honestly. But you know, if you’re not doing it all the time in your security awareness department, roll out a survey. Ask your employees if they need help with your mobile devices to figure out how to backup information, or if they need help with phishing.”
9. Try out an Ask Me Anything (AMA) or security office hours session
Wilson, who shared a lengthy list of different ways for outreach, discussed the idea of setting up a dedicated time for employees to ask questions, in online or in-person settings.
“Another thing that you can do within your organization to keep the conversation going, and I think this is super helpful for employees, is to have sessions where you can do an ‘Ask Me Anything.’ They have those types of sessions on Reddit and other social networking platforms where somebody will come on and go, ‘Alright, this is an AMA. Ask me anything.’
People come in and they ask questions, and you can do that within your organization. You don’t have to do it alone. Maybe partner with somebody else in the security department and partner with somebody in communications, or whoever you know, and have a dedicated time.”
Taking a conversation into a real-life gathering (if possible) puts a personal touch on a topic, as well.
“Most of the time, people don’t follow up with an email because that conversation is over,” said Wilson.
10. Join a networking circle, become a member at a non-profit, or volunteer to mentor and spread your wisdom
Continuing education is the foremost way SecureWorld’s audience mitigates threats, and that education does not have to be costly or require a long-term commitment of formal training.
Instead, becoming a member of a non-profit organization you are passionate about or volunteering to mentor a less experienced cybersecurity professional can help you grow, too.
Liebes shared extensive programming that her organization, the Cybercrime Support Network (CSN), has for individuals and what makes these kinds of organizations so powerful.
“We [CSN] recognize that we have to work in collaboration with others. With government entities, foundations, corporations, and other nonprofits to partner to fight cybercrime… working together is how we’re ultimately going to make individuals and small businesses safer online.”
Joining a network like hers, or the Advisory Council of your regional SecureWorld conference, can help.
Finally, here are a few great topics to kickstart your campaign or focus on if you are building a security awareness program from the ground up or need ideas. The SecureWorld panelists suggest the following:
• social engineering methods
• deep fakes
• data privacy
• social media safety
Remember: #BeCyberSmart and help others learn on their security journey!
[RESOURCES] Get involved with ongoing learning and networking in cybersecurity. Attend SecureWorld conferences, listen to The SecureWorld Sessions podcast, watch an upcoming SecureWorld webcast, and subscribe to our newsletter.
If you find our content is helping you, please share it out on social media and pass on the word.
Together, we can make cybersecurity awareness a year-long effort!
See if you agree with this statement: Cybersecurity awareness is a continuing effort, not a month-long cram session.