How Companies Can Talk More Effectively About Cybersecurity

COVID-19
Internal
The Pilot
Uncategorized
Pilot

By Steve Weber and Jim Wyderko

Over one Exabyte. That’s how much data is now stored globally on the cloud. That’s over 1 billion Gigabytes – for reference, in 2003, technologists at UC Berkeley estimated the total words spoken by humans since the dawn of time to be 5 Exabytes. These quintillion bytes of data contain healthcare records, financial information and pictures of our pets. And that doesn’t even account for the corporate and government systems that run our electric grids, water supply and other crucial parts of our infrastructure. Data is king in our world, and we desperately need to take its defense seriously.

Cybersecurity is now the master problem of the digital era. Data losses causing customer information to be sold on the dark web, breaches that destabilize entire energy grids – the list of world altering incidents and potential for future havoc is mind bogglingly anxiety inducing. 

So then why – even as stories of breaches and hacks continue to saturate the news seemingly each week – is it still so remarkably hard for most of the population to understand the potential consequences of such dangerous attacks on critical digital infrastructure? To the average person, the issue seems overly technical and complicated. And more statistics on real-life data breaches and fear-inducing headlines about theoretical future disasters, don’t seem to be making much of a difference at all. 

While yes, some of the impending threats are due to the technological hardware and processes we have in place, much of it also comes down to the behavior of individuals. A state of the art security system is no match for an overworked employee who unknowingly leaves a digital backdoor open through a carelessly simple password or a misplaced notepad. 

Unfortunately, there’s no easy solution to the limitless potential of negligent human behavior. 

Most cybersecurity specialists know that humans are the weakest link, and that changing human behavior is the hardest part of the cyber equation. But there’s really no alternative. This also means that one doesn’t need a substantial background in cybersecurity to understand the core of the issue or to help work towards a solution – in fact, those individuals may be best equipped to solve it. 

To change human behavior in this setting is partly about figuring out the most effective incentives – rewards for digital mindfulness and (possibly) sanctions for careless behavior. But all the incentives in the world won’t overcome lack of understanding, and even more so, lack of motivation. 

It’s becoming ever more apparent that cybersecurity is actually a communications problem. Organizations need to be better at explaining the issue to their employees and customers, helping them understand what they can do to make things better, and why they really do need to be an active participant in the defense of digital infrastructure. 

We all depend on each other for digital security, and we owe it to our mutual digital wellbeing to start talking like it. My weak password hygiene puts me personally at risk for sure, but if your contact information is in my database, it also puts you — my friend, family member, neighbor, or colleague — at risk. It can put my employer or even my government at risk.  

People can be selfish, but people also care about the people and communities around them. When we protect our houses from fire risk, we are thinking about our houses, but also our neighbors’ houses. The same interdependent mindset needs to be established for cybersecurity.

So how can companies get better at explaining this to their employees and customers?

Here’s what we know that doesn’t work:

  • Naming and shaming. We’ve seen communications approaches that attempt to humorously shame people for using “12345” or “password” as their password. While those passwords are definitely not the strongest, even the most technologically sophisticated people do dumb security things sometimes. Shaming isn’t grounded in mutual understanding and compassion.
  • Overly technical details. Some in the tech world still think this is an information problem. But trying to explain to people in meticulous detail how a “phishing attack can give access to admin or root privileges,” or “allow an attacker lateral movement across a network” is not as practical or productive as some might think. Yes, it’s educational, but it doesn’t do much to improve front end behavior. It’s like trying to get someone to change their diet, by forcing them to study the biochemistry of cholesterol metabolism. It might work for a few people, but for most, it’s excessive and maybe even counterproductive.  

Here’s what might work better: 

  • Keep it simple:  Name the modest and doable steps that people can take to move the needle. Break it down into bite sized chunks, and incremental steps – the same way you’d advise someone to change a long time habit.  Because that’s exactly what cybersecurity hygiene is – a bunch of (bad) habits that need to become (good) habits. Those who have successfully kicked a bad habit know that it takes conscious effort at the beginning and then soon becomes second nature.
  • Appeal to the community interest as well as the individual interest. As with vaccines, we should think of practicing good digital hygiene not only to protect ourselves, but also to protect our family, friends and community – and they need to do the same for you.
  • Show the upside difference you can make. Rather than fear mongering by focusing on shadowy bad actors who can do damage, give people a sense of the positive change that becomes possible when we engage in better security practices. Think about how drug ads are less about how horrible a diseased pancreas or a colon with cancer looks and more about the joys of life you can experience with a healthy pancreas and a healthy colon. It may seem cheesy at first, but upside promises do work, and the upsides of a safe and healthy digital ecosystem will be compelling for most people.

Again, this is just one (albeit, very important) piece of the puzzle. Our world still needs better tech, better incentives, better laws and regulations, and better strategy to fully combat malicious attacks on our digital infrastructure and information. Those will come in time and will surely make a positive impact. But, better communication is something we can all do right now. It’s something we can all participate in and make a meaningful contribution to. It’s something organizations can all start taking seriously now, so that when those additional pieces fall in place, our society will already have a comprehensive digital defense mindset. We owe it to ourselves, our community and the crucial safety of our pet photos to do so. 

Want to stay updated on the latest insights from BWS?