5 Ways to Get Users Thinking About Cybersecurity

essidsolutions

It’s no secret that 2020 has been a tough year for cybersecurity. The pandemic dramatically changed the attack surface. And with all the cyber threats out there — the one battle IT teams continue to lose is with end users who widely disregard security warnings. Here, CompTIA’s chief technology evangelist James Stanger explains how to make users part of the solution and not a problem. Check out five ways to make users — your workers pay more attention to security concerns. 

Today’s cybercriminals have a particularly large attack surface to exploit. Sometimes, they use a particular type of malware called ransomware. Other times, they exploit misconfigured servers or conduct a Distributed Denial of Service (DDOS)Opens a new window attack. But in most cases, they go after the most common cyberthreat: human beings.

1. The Most Common Cybersecurity Threats

When an attacker decides to go after a company, they will most often engage in social engineering. And usually, that means exploiting email. The vast majority of malware-based cyberattacks – in some estimates, over 90% – originate from Business Email Compromise (BEC) attacks.

And that’s just malware. Today’s threat actors use email to go beyond malware delivery and engage in various forms of spear phishing attacks and impersonation tacticsOpens a new window . I’ve heard the same thing from security operations center (SOC) workers around the world. 

Why? Because email remains the primary way that we communicate. Therefore, it’s the primary attack surface. Yes, attackers have turned their attention to additional services, including social media and instant messaging. But email remains the primary nexus of hacker and worker.

It’s only logical, then, for IT professionals to learn how to talk to end-users. After all, getting detailed, accurate information as quickly as possible can only help organizations respond more effectively.

2. What is the End User’s Role in Cybersecurity?

End users can play two roles. They can either be part of the solution or part of the problem. Just today, I was talking with a cybersecurity professional from the United Kingdom. He works regularly with law enforcement in the City of Manchester, as well as officials in the British government. 

He put it very bluntly, saying, “If you don’t have good employee awareness of security, you’re never going to hire your way into being more secure.” 

I’ve also heard professionals state that not even the fanciest AI-enabled software can overcome the problems generated by untrained end-users.

Learn More: How COVID-19 Turned a New Page for Cybersecurity

3. How to Train Your End Users 

A critical step in managing an organization’s cybersecurity risk is an effective security awareness training programOpens a new window combined with enhanced communication from IT professionals. You can’t just keep trying to educate people; you must engage in enhanced communication. As a cybersecurity professional, it’s vital for you to talk to employees in a way they understand. 

Here are a few tips for communicating with end-users:

  • Put a face on cybersecurity: Don’t just let IT pros work behind the scenes. Have a designated person or group of people become the face of security in your communications. This will help employees see cybersecurity as less of a technical nuisance and more of human concern.
  • Use shared experiences: Tell stories about how you were in similar situations. Employees will identify. Doing so will build a sense of camaraderie, which helps morale and makes people want to learn more about how they can help you.
  • Impart wisdom in brief snippets: You’ll never be able to explain everything all at once. And you shouldn’t even try. No one wants to read a long email that lectures them about technical steps. Few want to attend an hour-long security session. Break down the information in user-friendly ways
  • Conduct two-way conversations: It’s not enough to have IT and cybersecurity workers communicate one way to end-users. Learning and communication have to be interactive, and it has to go both ways. Once employees see that a real dialog is happening, you will be amazed at how much they will improve compliance with the security policy and cybersecurity best practices.
  • Change things up: Yes, it’s important to have written best practices always available for later reference. But, communicate in multiple mediums. One organization created a series of short, 5-minute videos showing experienced cybersecurity folks talking with an end-user about an essential practice in a low-key setting. Employees enjoyed the banter. Another organization holds 10-minute cyber town hall meetings, where IT pros and end-users ask and answer questions. As you break up the message and change up your communication style, people will begin to learn.

Learn More: Data Breaches Cost Organizations $3.86M: IBM Data Breach Report

4. Working With Individuals

The best thing IT pros can do when working with end-users is to find ways to empathize with their issue. Most of the time, people will be quite upset that sensitive information has been compromised or that they are experiencing a problem. 

Once you show understanding, it’ll be easier to learn essential details about the particular issue you’re investigating. I’ve found that typical courtesy – including explaining why you’re here and asking how they’re feeling – will always make people feel better. Doing so doesn’t take much time and will help everyone involved.

To put someone at ease, it can help to tell a story about yourself or point out that many other people have experienced similar issues. Sometimes, people who are victims of an attack fear they will receive a reprimand or even lose their job. Focus on what your company’s security policy states – very rarely will a company blame an individual victim for a data breach. 

As you work to respond to an incident, find ways to communicate the next steps that you’re taking. Show them that your actions are policy-based and rely on industry best practices. 

Once people see that you’ve shown professionalism and empathy, you’ll find that it’s easy to work with them. Then you can begin to ask about their activities leading up to the problem. Asking open-ended questions will also help you find out exactly what they were doing when the security problem occurred.

5. Moving Forward With the Human Element of Cybersecurity

As organizations improve communication, they find that they reduce breaches because end users realize that information security isn’t just an abstract thing that was somebody else’s problem. Employees also realize that they are the first line of defense, in many ways, instead of antivirus programs and firewalls. Any experienced professional will tell you that improving communication in a cybersecurity awareness program is the primary risk management step to take.

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA