February brings a flurry of cybersecurity awareness days. On February 1st, Change Your Password Day reminded us that using “Rover123!” for yet another online account is not an appropriate defence between ourselves and cyber criminals, while yesterday—Safer Internet Day—encouraged us to take positive steps toward protecting ourselves online.
But how long do these positive reminders last? I made a guest appearance on this week’s episode of the Security Visionaries podcast, to argue that annual celebrations risk promoting a “do it today and forget it the next” approach to cyber hygiene. In reality, daily effort is required to produce a consistent and robust defence. So how can we promote a year-round cyber hygiene approach?
Make it the culture
Annual cybersecurity training is often used to comply with regulations and insurance requirements, but many employees mindlessly click through each screen without digesting information fully. The week after, we do see positive behaviour shoot up—less dodgy links are clicked, and even data loss protection (DLP) alerts quiet down. However, all too soon security teams return to the base level of data breach risk they were handling before the annual training.
Cyber awareness is more effective when incorporated into daily company culture and treated like a business initiative, not just a security initiative. It may sound excessively basic and analogue but positioning useful information in the form of posters by the coffee maker, or even as desktop backgrounds can really help people see and recall security messages (make sure to change them regularly or they will become part of the background and no longer be noticed). Business leaders (not only security leaders) should be adding weight to the importance of good cyber hygiene; consider how you can make discussions around it part of your day to day business processes. Here at Netskope, we give out quarterly awards to individuals who have reported cyber concerns, something led by the CEO in partnership with the CISO to really drive home the strategic importance of this.
Make it personalised
To encourage lasting behavioural change, cyber awareness initiatives that are relevant to actual situations the company is facing, with real risk scenarios, are much easier to understand. On a similar level, implementing automatic real-time user coaching techniques to appear, for example, in the exact moment an employee triggers a DLP alert, helps put risks into context as they happen. This way, an employee can work with real-time guidance and develop better cyber understanding and safer behaviour long term.
Training (and the examples used in training) usually focus on the benefits to the organisation. Think much more broadly to help play into the psyche of the human. Chances are, if a person learns how their own (and their family’s) data could be in jeopardy, there could be a greater training retention in the long term.
Make it zero trust
So far, so tactical, but day to day cyber hygiene is so much easier if you have built your security architectures using zero trust principles. Regardless of employee awareness, businesses should assume it is likely that a breach will occur.
By following a zero trust approach when designing security processes, every employee should be operating with the least amount of access they need to complete their job. This means that even if an attacker does gain access to their digital identity (because they insisted on Rover123!), the adversary will be limited in what they can achieve. If an organisation limits the permission to pool and exfiltrate sensitive data to a strict handful of employees who require it in their role, the chances of an attacker carrying out a successful attack is greatly depreciated.
“Continually adaptive trust,” a model that bases access permissions on multiple streams of behavioural data that are continuously changing, ensures everyone can complete their work safely. Here, everything is taken into account; location, behavioural trends, data type, device, identity, activity, application and more, to ensure that permissions can adapt constantly to maintain the highest levels of security.
Ultimately, we’re grateful for our yearly reminders to be more cyber aware but we’re also in need of a daily cultural shift toward greater online safety. Positive cyber hygiene should be both an objective in designing security architectures, and a daily habit, (and not just on Safer Internet Day). Only then can we live safer internet lives.
For more tips and tricks, tune into the latest episode of the Security Visionaries podcast.