From innocent phishing mishaps to malicious insiders, it is no secret that the human element is always going to be the most vulnerable part of any organization. You can spend exorbitant amounts of money and time implementing these tools and policies. However, it only takes one well-crafted social engineering attack to compromise your data. Of course, this is a very pared-down example. But it is not an uncommon example. The industry has responded by attempting to craft a cybersecurity culture, with solutions like security awareness training and UEBA. Depending on the maturity of your organization and the size of your team, these tools can be extremely effective. However, this is still treating a symptom, rather than the problem itself.
The Problem is Culture
From movies to security professionals, cybersecurity culture has a very distinct tone. Cyber attackers have always been portrayed as ambiguous dark hooded figures. Culturally, these hackers function as the cyber version of the boogeyman. When we talk about security, we use common scare tactics. It often plays out like a cyber hellfire and brimstone. In theory, scare tactics seem effective. They are accurate and memorable. But not everyone responds to fear – especially corporate fear.
Cybersecurity Culture Needs Realism
We need to make security more of a realistic notion for the general populace. As we learned with some of the recent social media data security controversy, a lot of users (at least in the US) do not necessarily know where their data goes. Rather than just corporate security awareness training, as professionals we need to be bringing cybersecurity culture into the home as well.
The cyber threat landscape is the new breeding ground for cold warfare. Cybersecurity truly is a public safety issue. We have seen weaponized social media posts, IoT devices turning into attack droids, and phones being hacked to see GPS locations. These issues are every day occurrences. Therefore, we need to normalize the idea of security into our everyday culture, in exactly the same way we have normalized other safety issues. Take cars, for example. We saw cars were unsafe, so we added seat-belts. For the internet, we need a security-focused and educational mindset. This is especially the case in regards to new innovations within technology.
Cybersecurity Culture Belongs to Everyone
This is a call for the tech giants, as well as those of us who live and breathe this every day. In regards to the seat-belt example, it is ingrained in us that when we get in a car, the first thing we do is put on our seat-belt. Imagine if first thing when someone signs up for a new app is to enable MFA?
Rather than forcing security on people who do not understand the reasoning, take a few minutes to make it personal. A scary awareness video is insufficient. In contrast, cybersecurity should be an ongoing education.
Cybersecurity culture should not just be shadow figures and doomsday warnings. Just like anything else, the more we normalize this type of conversation, the easier it will be be in the long run. As we advance technologically, these types of hurdles are going to have to be addressed. The more we equip the public with this knowledge now, the more efficient we will be in the future. The security market is only going to get more advanced. Of course, that means that the threat will also advance. And we will need all the help we can get.