You may be unaware that October is Cybersecurity Awareness
month (who knew?), since it is in competition with other major events striving
to highlight their relevance as well. (National Apple month, Eye Safety prevention
month, Photographer appreciation month, and National Liver Awareness month!)
Like most of the
other campaigns celebrated and promoted during October, Cybersecurity Awareness
hopes to promote just that, awareness. Yet, the traditional thinking about employee
training on issues like security and privacy, confidentiality, etc., has always
been around the same common premise: awareness. Training your staff amounts to
basically making them 'aware' of the threats, and as rationale human beings
they would avoid such risky behavior by deeming it not in their best interest.
Unfortunately the process of simply conveying the threats and risks of certain behavior,
by (usually) transferring the knowledge
that the InfoSec team possesses to average employees, hardly constitutes awareness,
at least not in the sense that we expect it to be actionable now on the part of
the employee.
Though training has been well intentioned over the years,
the constant blitz of threats and warnings by security experts have only, in
my opinion, desensitized the average
user to the real risks. Think about the old five color-coded threat warning
system that Homeland Security wisely abandoned in April of this year. We had
the threat level at 'High' (orange) or "Elevated' (yellow) all but once
(and for only 14 days), in the entire nine
years that the system was in place. During the 17 times it was raised and
lowered back and forth between Orange and Yellow, do you recall ever changing
your behavior commensurate with the risk rating? No. Why? Because though you
may have absorbed the information IF
you happened to be taking a flight during the color change, you assumed that
the job of spotting and preventing terroristic activities was largely someone else's.
The act of conveying awareness never reached an inflection point. And, again in
my opinion, the really effective and efficient way to derive value in your
training & awareness campaigns is to move from awareness to ownership.
Consider these two analogies that drive home my point of
making ownership of the privacy & security duty to that for all employees
and not just the InfoSec team and Privacy Officer. RSA, the eminent security company,
was hacked earlier this year by an attacker who may have made off with the crown
jewels of the company; an event comparable to Coca-Cola losing its secret
formula to a thief. How did it happen? A hacker sent emails to two small groups
of employees that included an attachment titled "2011 Recruitment Plan."
One employee opened the attachment and inadvertently introduced a virus inside the
RSA network which ultimately gave the hacker access to the most sensitive and
valued data on the company. And in doing so, enabled later attacks against
RSA's customers. Now I am positive that RSA employees have been instructed to
the nth degree not to open attachments from people that they don't know, click on
links to suspicious web sites, yada yada yada...But apparently this one
employee (all it took), must have thought that "security was someone
else's job", and "that's why we have anti-virus running on all our
machines", and.....you get the idea.
Secondly, consider the act of littering. When you throw
trash out of the window on an interstate highway, you rarely consider the
implications to you or your immediate surroundings. The effect, if any, on your
conscious is fleeting; you keep moving farther away, literally, from the moment
and any sense of ownership of the problem or a resolution. ("They have
prisoners clean that trash up, don't they ?") However, if you live in
a small neighborhood, gated community, enclave, or live in a development with association
fees, you suddenly feel the pain of trash and debris more acutely as it encroaches
on your residential utopia. Your 'awareness' of the effect of trash in your
neighborhood quickly descends into 'ownership' of the problem since you are invested
in the outcome more than you are in, say, a clean highway somewhere five states
over. Soon you find yourself yelling at neighborhood kids to pick up after
themselves...
Like technology itself, hackers and other bad guys have evolved
as well. Firewalls and networks have improved to the point of diminishing
returns in spending on those devices; the outer defense of the company has been
reinforced enough that it is almost impossible to incrementally improve
security from, say, adding another moat around the building. The real long-term,
sustainable improvement is via the employee. Humans are long known to be the weakest link
in the security chain, and the situation can only be improved through cognizant
and mindful behavioral changes. Only through the evolution of the awareness of the problem to ownership of the solution can we even
begin to seriously make advancements in the holistic process of teaching employees
right from wrong. We may never eliminate litter as a scourge, but we can get
them to discover why they, as our employees, should not contribute to it, and
make our company's stretch of highway the cleanest on the Interstate.
