Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
This article was written by Lisa Plaggemier, interim executive director, National Cyber Security Alliance.
There is no denying that the cybersecurity threat landscape is as frenzied and hectic as it has ever been. Dedicated security professionals everywhere work round the clock to stay one step ahead of the bad actors. We work with our organizations and employees to assess and prioritize risk, and spur them to prioritize security and take action. We’re doing a lot of things right, but are there areas where we can improve?
The cybersecurity industry, and the technology tools we create, can only do so much. We need to go beyond innovating with tools and tech and think about innovating with our outreach and communications beyond the security field. This means rethinking the way we engage with everyday people.
According to IBM, human error is a “major contributing cause” of a whopping 95% of breaches. Yet for years, the narrative around cybersecurity has been far too dense and inaccessible for most people. Cybersecurity is a collective effort. It’s important to highlight new dangers posed by ransomware-as-a-service groups or to explain a supply-chain attack. But without pairing technical know-how with practical protocols for everyday people to use at work, school or home, we will remain vulnerable.
So what can be done?
We need to trade in the age-old cybersecurity strategy of trying to scare the public into taking action. Yes, of course, cyberthreats can be unnerving, but instead of making people feel overwhelmed or helpless, we must rethink how we engage them. Only then can we turn the tables on bad actors. Here are a few ways we can supplant cyber-scare tactics with a more constructive approach to threats.
Take the cybersecurity discussion into the mainstream
Some organizations have feared that open discussion of cybersecurity successes and best practices could draw the attention of hackers and thus come back to bite them. But a reluctance to share best practices has done little to dissuade bad actors — as evidenced by the breach-centric news cycle over the last year. What if we brought cybersecurity best practices out into the open? For example, instead of relying on third-party sources or sifting through news reports around a high-profile breach to discern best practices, what if people could learn what they need to protect their information on an organization’s website or through an email newsletter? This would not only help empower people to take control of their cybersecurity hygiene, but give them peace of mind that responsible groups take cybersecurity seriously.
Standardization and zero-trust
Many cybersecurity best practices are actually simple for organizations to follow and for people to use. Yet, although time-tested steps like password strength rules are effective, there is very little standardization. From log-in to checkout, organizations have gone to great lengths to reduce the friction of the technology experience. Unfortunately, many of these steps also reduce friction for bad actors. The issue is compounded by the fact that many organizations still do not have a “zero-trust” cybersecurity framework in place to continuously vet the rights and privileges of each individual and device on its network. One answer is for businesses to embrace a zero-trust framework on a more universal level and supplement it with a standardized approach to cybersecurity — including mandatory MFA, minimum password requirements and other steps. Greater standardization will provide a much more secure and symbiotic cybersecurity experience, and one where both non-technical and technical staff can work together.
Establish security habits
The cybersecurity industry has done a great job underlining the consequences of a breach. Unfortunately, we haven’t done enough to explain the necessary action to prevent future attacks and breaches. The best way to do this is by establishing habits.
Like any skill, everyday cybersecurity is all about habit. When people leave their home or car, it is second nature to lock the door. Our homes and vehicles are much safer as a result. If every person got in the habit of using a password manager, the same thing would happen with cybersecurity. The problem is, we haven’t made password manager adoption and other simple steps second nature. Most people simply haven’t adopted basic digital security habits. We need to shift from scaring people into submission to guiding them toward constructive action, with regular reinforcement. A change in messaging is the best way to ensure that good cybersecurity habits are adopted by the public and that digital security moves from a secondary priority to a primary one.
Lisa Plaggemier is Interim Executive Director at the National Cyber Security Alliance. Lisa is a trailblazer in security awareness and education, and is a prominent security influencer with a proven track record of engaging and empowering businesses and their employees to protect themselves and their data.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.