January 7, 2013 /
Do You Want People To Really Act On Security Messages? Listen First
Just when I thought I was turning the corner on Internet security awareness & cyber safety, along comes an eye-opening situation that hits so close to home that I am forced to rethink the road ahead - again.
The key questions that I’m reassessing as we head into 2013: Am I saying the right things about cybersecurity? Are the most important messages getting through? Are people (even the ones who know and like us) hearing what we say? Am I genuinely listening to them – first? Allow me to explain with a personal story.
My daughter Katherine and my wife Priscilla received new smartphones as gifts over the past few months. Without a doubt, they both love their new white, light-weight iPhone 5s. They had seemingly never-ending holiday conversations about their new devices - with Katherine showing her mom all of the wonderful features, functions and helpful apps. But that conversation is for another day.
This tale is about mobile device security – or lack thereof.
It all started when Katherine was in our kitchen trying to help her friend Carli with her new iPhone 5 that she also got for Christmas. Carli’s WiFi was not working properly.
(Note: Katherine has unofficially become the resident “expert” because she received her while iPhone 5 back in November as a birthday present.) She now knows everything there is to know about smartphones - kinda.
Katherine to Carli: “You turned off the 4-digit security PIN that I configured for you!”
(Dad, who was in an adjacent room, suddenly became interested in this unexpected security conversation and puts the magazine down.)
Carli to Katherine: “The screen lock is such a pain. And if I lose my iPhone, whoever finds it won’t be able to call me and return it.”
Katherine to Carli: “Yes, they can. There’s an app to find it. I showed you….”
Carli to Katherine: “But…, Mrs. Lohrmann, help – you told me you haven’t enabled a PIN for your iPhone either…. ”
Priscilla to Carli and Katherine: “You’re right. I haven’t enabled the PIN…. Yet. I’m not sure if it’s really needed or not. But don’t tell your dad, I’m still deciding….”
(Dad – who is listening in the other room – now enters the kitchen….)
Dad to all: “What did you just say?”
I’ll stop the rewind of this conversation at this point. I can tell you that, although everyone was in a good mood, laughing and polite, the “passionate discussion” continued for the next 10-minutes before Katherine and Carli were late and headed out the door. We all decided to continue the dialogue “later.”
But over the past week, I’ve been thinking quite a bit about that holiday interaction. My guess is that most readers can probably relate to a similar situation in their lives at either home or work.
After that conversation, I’ve started to reconsidered the effectiveness of what I personally say to family members about personal online security as well as what our enterprise messages are working (or not) for state employees.
Not that we haven’t been through this discussion before. Priscilla and I talk about online safety quite often as it relates to our children. We agree on the vast majority of steps we take with security on PCs, Internet access controls and filtering. It’s just that the conversation and examples keeps changing as technology evolves and the kids get older.
And my thoughts often move towards work, where the same concerns and questions apply. Yes, we’ve already reinvented awareness training for employees in the past year to focus on the new online challenges and mobile situations. We did listen to employees and heard that the old training was out of date, boring and irrelevant. But now I’m worried that we’re still not doing enough. Or, perhaps, we’re falling behind in our messaging – again.
Christmas Presents Showing Up at Work
It’s that time of year when technology Christmas presents start showing up at the office. With the advent of BYOD, telework, and mobile computing, our enterprises must once again pass the test of new “stuff” show showing up all over the place. This means our infrastructure and security teams rebuild architectures to ensure enough available Internet bandwidth and having hotspots to handle the load.
Meanwhile, we must think through, again, how staff will access data, keep personal information private and a host of other topics. Once we figure out what the IT organization will do and what the employees will do, we communicate with staff.
What Do We Do – and Say?
In response, we offer revised policies, compliance regulations, new awareness training and new approaches like testing whether employees click on bad links. Every little bit helps, but can we do more?
Stacy Collett, a writer for Computerworld, recently wrote an excellent piece with five techniques on: How to talk security so people will listen (and comply!) Here’s an excerpt:
“To be sure, employees are not involved in every type of corporate security breach (see Top 10 threat action types), but user behavior and non-compliance are implicated in many, including mobile malware, social network schemes and advanced target attacks. These are increasingly aimed not at CEOs and senior staffers, but at people in other job functions such as sales, HR, administration and media/public relations, as criminals try for ‘lower-hanging fruit,’ the Symantec report says.
Against such an onslaught, the stereotypical wall poster of security tips hanging in the breakroom is useless, says Julie Peeler, foundation director at the International Information Systems Security Certification Consortium -- also known as (ISC)² -- a global, non-profit organization that educates and certifies information security professionals. ‘Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top,’ she says.”
Veteran security pros will, of course, agree with Julie Peeler. For decades, we’ve been saying that good security encompasses everyone, everywhere, all the time. You never know where the next threat or incident or major attack is coming from.
So how do I plan to address this - today? My gut tells me that I need to start by looking in the mirror. Lead by my example. So what are my 2013 security resolutions?
- To keep watching and analyzing our state government culture
- To learn the new ways our people are using technology
- To listen to the business more
- To keep refining the security and privacy messages we are delivering to employees
- To offer enabling security that truly helps
Back at home, my daughter Katherine has enabled complex security on her smartphone. She’s become an ambassador to her friends and an ally in marketing key personal security messages.
Meanwhile, my wife Priscilla has agreed to hear again what Apple recommends for security, to discuss available options for her iPhone 5 and to do what’s best.
And I’ve agreed to listen - first.