If it walks like a duck and quacks like a duck ...
Chris Cooper
Enterprise-Level Cybersecurity, Risk Mitigation & Digital Compliance for SMBs | Founder @ Rougemont Security
Last December, I had the opportunity to write an article for Computer Weekly on a cyber security lesson that I had learnt during 2021, you can find the article at the link below, where I talk about the challenges of running a cyber security awareness programme across multiple geographies and cultures:
Soon after I was talking with the CEO of a major organisation and he asked about the need to have a level of theatrics to support the culture of cyber security within an organisation.
I found it an interesting observation, as a lot of effort in recent years has gone into making cyber security virtually invisible to the end users so that cyber security is not seen to be making their lives more difficult. But can we take that too far and employees forget the importance and sensitivity of the information they are working with?
Where do we start?
The first step of cyber security awareness in my opinion is to make it tangible to the individual. Unless we can relate cyber security to their daily lives, the messages just do not tend to stick.
Infographics such as this one from Cyber Crime Watch can be a great way of starting the conversation and helping people to understand the breadth of how cyber security, privacy and data protection affects them every day.
From there you can then use analogies to link back to their working lives.
After all unless you know what a duck looks like, how it walks and how it quacks, is not going to help at all!
But what about these theatrics?
Used appropriately I believe these can help to embed the overall security culture mindset. But they must be proportional!
A simple example could be Swipe Access Doors, commonly one person swipes in and everyone else follows behind. You might tell people not to "tail-gate" but you can bet many still do.
But if every individual has to swipe in (otherwise they cannot swipe back out of the office again) then that relatively simple change creates a mindset of a more secure physical environment which must mean that its protecting important information. Of course, its important to explain the logic behind each person having to swipe, so that its not just viewed as an inconvenience.
Cyber Security Awareness has developed substantially in the last decade and its no longer just about making every user watch a video or undergo some computer based training. Psychology is a key input into developing a successful programme that will develop and continue year after year.