A CISO's Guide to CyberSecurity Culture
The Odyssey of Cybersecurity Culture In the vast annals of history, tales of heroes and their epic voyages have captivated us. Today, our journey...
Heck, some of the biggest tech companies out today were created in the United States (Facebook, oh wait, right. "Meta", Alphabet/Google, yadda yadda). Thankfully, that same handful understands the importance of tech security, as well. But notice how I keep saying “handful.” Unfortunately, the average citizen doesn’t really want to grasp the severity and necessity of cyber security knowledge.
In our post-pandemic society, the usage of technology (I.E. Internet, software, and personal devices) has increased by over 100% from 2020 to 2021, a huge increase from 40% usage between 2018 and 2019. Because of this hefty increase, the inclusion of phishing, scams, and lack of protection has also skyrocketed, all because these hackers and scammers are taking advantage of a crucial component in cyber protection: Refusal to learn.
Take, for example, this satirical look at how easy it is to gather personal information from the everyday American:
While it’s meant to be funny, it’s… kind of scary. Yes, this video was filmed in 2017, but it still highlights the dangers and simplicity of having our information taken from us by someone casually asking, as these same practices still occur to this day.
In today’s digital age, while companies like Google and Apple offer protection services, including algorithms to sort out scam e-mails and provide a stronger caller ID service, studies have shown that the number is still fairly elevated in terms of cybercriminals succeeding.
Throughout the plethora of studies, it’s widely mentioned that while these can easily be avoided, cybercriminals use tools to exploit the level of impatience and confusion the average citizen has around their understanding of digital privacy, especially the one thing we can all, as a nation, collectively agree to hate: the user agreement.
South Park characters saying "sign here"
In today’s day and age of streaming, ordering online, and delivery services, many criminals take advantage of the user agreement, sending, via text and/or e-mail, a duplicated version of a service you’ve used many times before.
In a recent study done by Security.org, they sent out, to over 1,000 participants, an “agreement” to join their studies on understanding Cybersecurity. The kicker? The agreement stated this:
Once these were sent back, 98% of the users agreed to the consent, while 2% were able to catch the phony information.
During their survey, they collected the following information:
During the same survey, they were presented with a quiz that asked them general knowledge questions on data collection and privacy, with the results averaging 54/100. Many (if not all) had stated that they did not realize tax information, payment information, and an internet service provider (to name a few), are in the fine print of data collection and are usually sold, and in many cases, stolen.
While the user agreement is just one example of the lack of understanding of cyber security, the data presented paints a bigger picture of the dangers of the digital world and how the average American is susceptible to getting caught in the phishing net (I had to do it!)
While we have generally focused on the average American and their devices, we also have to address a massive gap in awareness of office/remote life.
While this applies to both offices bringing their employees back in AND offices adapting to remote work, the bleak digital practices your employees use can still rear their ugly heads into your business.
Cybercriminals bank on employees using remotely connected/in-office networks, especially if said office networks are still being used to view social media, which would be a definite case, due to the increase (and escape) that has tripled since 2021.
So the main question is; How are you helping your co-workers stay safe on all platforms, at all times, both on and off the clock?
Looking at the numbers can give an accurate impression of what needs to be improved, but let’s cut to the chase and get the elephant out of the room: whatever we claim we’ve tried to accomplish over the past few years… it’s not enough.
Over 53% of organizations currently have awareness training in place (I use the word “training” lightly), so that’s 1 in 2 companies, (Small business level drops to 1 in 4), and said awareness training is rarely retained. If only a handful (callback!) of respondents have achieved the level of cybersecurity knowledge to correctly answer a few basic cybersecurity questions, can we really say we are doing things the right way?
Sure, employees need to be able to retain the information provided in cyber awareness training (which is why once a year and "one size fits no-one" training truly doesn’t cut it). However, there is more to ‘awareness’ than knowledge acquisition.
Here at the Cybermaniacs, we believe the only way to get from 2% to 100% is by focusing on positive human behavioral change, development of security-valued organizational culture, and personal values and perspectives.
This change of habits, skills, and mindset needs to happen at the personal level, for you, your family, and the associates you work with. It needs to change at the board level, with your suppliers and third-party providers. It needs to be part of your corporate and personal growth strategies.
Long/short; well, we do things differently. We’re confident we will win this fight against cybercrime and malicious hackers one heart and one inspired mind at a time. So maybe it takes something as crazy as puppets to do this. But hey, if a puppet is telling you and your employees how to consider how quickly and well we need to build new digital competencies, change risky online behaviors, and establish and nurture security-aware cultures at companies and communities all over the world.*
*Yes, our puppets love to use big words like that
The Odyssey of Cybersecurity Culture In the vast annals of history, tales of heroes and their epic voyages have captivated us. Today, our journey...
12 min read
In the expansive realm of cyber threats, phishing stands out as a pervasive and constantly evolving menace. What initially began as indiscriminate...
4 min read