IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Tailoring the Cybersecurity Message for Small Orgs, Residents

Cybersecurity guidance needs to be designed so small organizations can easily identify next steps to take, and awareness campaigns should put practices into language layfolk can understand, experts say.

Cybersecurity takes a whole-of-society approach, and ensuring that everyone is part of the journey relies on having a communication strategy that meets small organizations and everyday residents where they’re at, said speakers at a recent Institute for Security and Technology (IST) special event on ransomware.


There’s plenty of cybersecurity advice swirling about — perhaps too much. Organizations can get easily overwhelmed by all the different advice and regulatory frameworks, leaving them at a loss as to where to start their improvement efforts, said Phyllis Lee, senior director of Controls at the Center for Internet Security (CIS).

There’s an element of realism and practicality that needs to be part of these conversations:

“In the real world, we know that almost no organizations are actually patching every single vulnerability everywhere in the environment,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA).

Players in the space therefore need to help entities with their priorities. CISA aims to do this in part by creating its catalog of Known Exploited Vulnerabilities, which lists out which — out of all the vulnerabilities out there — are the ones its actually seeing malicious actors take advantage of, so organizations don’t get lost trying to tackle everything.

CIS also aims to help organizations identify the cybersecurity controls that will give them the most bang for their buck. Last October, it released a new guidance called Implementation Group 1 (IG1). This guideline outlines core cyber hygiene steps that are low-cost to implement but still make a difference against many of the techniques used in ransomware attacks and other top threats. Organizations with more resources and greater need for security can step it up by adopting additional steps outlined in its Implementation Groups 2 and 3.

And basic steps can carry a lot of weight.

“Most of the time, [the bad guys] are using really basic tools and techniques that have been used over and over and over again,” said Cyber Threat Alliance President and CEO Michael Daniel.

He and Lee both said it’s important to remind organizations that any steps they take to improve their cyber defenses matter and not to feel like it’s hopeless if they can’t adopt all the recommendations in one go.


The cybersecurity community also needs to ensure that it’s reaching audiences beyond those likely to turn up to a cybersecurity conference, said Goldstein. This is an issue that impacts everyone and getting all ears may mean bringing cybersecurity conversations to non-cyber industry conferences as well as spreading word through local media, he said.

Daniel also recommended reaching out to organizations that particular audiences already work with, such as chambers of commerce to reach small businesses or bar associations to reach legal groups.

Government agencies also want to improve how they talk to residents, who can reduce risks if they know how to stay safe.

“One of the most important things we can do is help the American people build resilience,” said CISA Director Jen Easterly.

When trying to connect with layfolk, it’s essential to break out of using buzzwords and jargon to instead offer clear, easy-to-follow explanations, Easterly said.

“If you’re speaking nerd-speak to the American people — for example, ‘multifactor authentication,’ — their eyes glaze over,” Easterly said.

There’s a simpler, more effective way of getting across the same idea, she said: “Really, at the end of the day it’s ‘more than a password.’”


Asking users to adopt more secure behaviors is only part of the challenge. National Cyber Director Chris Inglis has previously urged those who create technology to design their offerings to be more secure and shift more of security responsibility and risk off of the small entities and individuals using the tools and onto their own shoulders.

Palo Alto Networks Vice President of Public Sector John Davis saw cybersecurity as an area requiring new efforts from both end users and those who provide them tools. Security practitioners and end users may fail to realize just how important it is to follow low-cost cybersecurity basics like changing passwords on a recurring basis, regularly updating systems and adopting multifactor authentication, he said, and suggested a national awareness campaign could be part of the effort to change this.

But Davis also said that technology companies have work to do, too, because the tools they offer can be hard to use well. Users today are working with a vast array of technologies, and often need to juggle a variety of security solutions that each protect one aspect of the environment and which aren’t designed to integrate with each other.

“Cybersecurity technologies are becoming more difficult to understand and harder to use,” Davis said.

Tech firms that design their offerings with customers’ safety in mind can blunt the impact of insecure user habits. Many cyber attackers make use of leaked, stolen or easy-to-crack passwords, and Easterly praised efforts by members of the FIDO Alliance to make passwordless login methods. That organization aims to develop and promote alternate methods of authentication.

“We want to move in that direction, so we make it easy on consumers to just be able to seamlessly protect themselves,” she said.
Jule Pattison-Gordon is a staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.