[BreachExchange] Reaching the cybersecurity tipping point

[Audrey McNeil]

http://www.networkworld.com/article/3171733/security/
reaching-the-cybersecurity-tipping-point.html

Remember that moment when you really committed yourself to solid security
and privacy practices? The moment when you committed to never clicking on a
link you weren’t sure about, to always checking for badges on people coming
in the door, to always using your password manager to create a complex
password? If you do, you reached your “cybersecurity tipping point.”

For many, that moment has not yet come. And if you are reading this
article, it might be your job to get your employees to hit that point. And
you already know that the hard part is figuring out how.

It’d be great if we could schedule the tipping point for our employees.
Maybe we’d put it at the end of our annual training, right when they click
to acknowledge their acceptance of policies.

But humans don’t work that way. Every person hits their tipping point based
on different prompts. In his book The Tipping Point, Malcolm Gladwell
explained just how complicated it is to figure out how ideas or social
movements reach a tipping point—let alone to figure out how to engineer a
tipping point in the behavior of employees in your organization.

How to get employees to hit their cybersecurity tipping point

Complicated, yes, but not impossible. Case in point: last month’s
celebration of Data Privacy Day, when a couple people in my company hit
their cybersecurity tipping point. Here’s how it went down:

I arrived at work early and planted a file folder with (bogus) personal
information in an upstairs conference room and a USB drive containing the
same bogus data in the downstairs print room. I then sent out an all-hands
email inviting people to celebrate Data Privacy Day by watching our video
on incident reporting.

Then I waited.

And waited. I wanted to see if anyone would find the documents and report
them. By noon, no one had, so I sent out a note to everyone that ended like
this:

"So folks, I planted two potential sources of privacy violation in plain
view today, before you all arrived, and no one has reported anything yet.
So keep your eyes out, and report any issues you see right away. There may
be a little something in it for you."

Then it got fun. Within about 10 minutes, our copy editor was at my door
with the USB drive.

“Did you plug it into your computer?” I asked.

“Heck no,” she said.

“Right on!” I replied, handing her a $25 Amazon gift card.

Hot on her tail were two guys from marketing who had found the file folder
earlier in the day but had not gotten around to reporting it until just
now. They got a hearty thanks and a small consolation prize.

But it didn’t stop there. Two guys from biz dev came down:

“Hey, what about this document marked confidential we found on the printer?”

Bingo!

An accounts payable person ran into me in the hall: She loved the video.
And one of our salesmen ribbed me: “I finally got why you’re always harping
on the things like Privacy Day and Security Awareness week.”

That’s right! Basically, all over the office, people had conversations
about the kinds of data that should get reported, who to report it to, and
what to do if the data wasn’t sensitive but shouldn’t be floating around.

Moving towards their cybersecurity tipping point

Nothing “went viral.” I don’t have any hard evidence that anyone hit a
cybersecurity tipping point. But I believe we made some progress, and I’d
encourage you to recognize the important role that special days like this
play in building overall awareness in your population. They don’t even have
to be special days; they can just be informal, mundane activities that open
people’s eyes to the role that data protection plays in running your
business.

You’ll never create a risk-aware culture by releasing annual training; you
won’t even get there with quarterly training. You can’t schedule anybody’s
cybersecurity tipping point, and no one has yet figured out how to make a
video “go viral.” But if you consciously plan to create moments that engage
people’s thinking about security and privacy throughout the year—and if you
weave them into the very fabric of your culture—you stand a good chance of
making data protection one of the central values of your company.

So let me ask you, how are you creating the conditions that lead your
employees toward their cybersecurity tipping point?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170222/e83222ba/attachment.html>