Adopting a New Security Behaviour in 3 Foolproof Steps
October is National Cyber Security Awareness Month or #NCSAM as it’s known on Twitter. Twitter showcased many pics and tweets of awareness sessions and there are hundreds of links to helpful documents.
Now October is nearly over, and #NCSAM won’t be trending, if it ever was, until next year. So what has it achieved? Did it actually raise awareness?
To those questions I can answer ‘Yes!’. More people have awareness of cyber, and – thanks to organisations such as GetSafeOnline who put on events throughout the month – more people know how to access help online.
But what were we hoping for it to achieve? Just to raise awareness, or something more?
Adopting Secure Behaviours
Well for us at Layer 8 Ltd it’s always about adopting security behaviours; I mean that’s what we really want isn’t it? For us, our family, our business and our economy to be protected from those malicious attacks, those scammers? And that will only happen when we adopt secure behaviours.
When we talk about adopting new behaviours with our clients we use a very simple 3 step approach:
Step 1 – You have to understand why you should care about changing behaviour
I’m an habitual creature, so I need to know why I should care enough to change my behaviour. Telling people not to leave their screens unlocked isn’t enough; sending an email isn’t enough but having a conversation with a small group of people who take a few moments to consider the consequences of an unattended, unlocked screen for the business and the individual will do it.
Step 2 – Make changing behaviour easy
The best and easiest way to change behaviours is to follow a clear procedure:
- Choose one behaviour you want to change and make sure everyone knows what it is.
- Explain what change means: we are all going to make sure that every time we leave our desks we will lock our screens.
- Make sure everyone knows how to do it.
- Set a goal: we will do this for a week and review it.
- Get everyone to support everyone else by reminding them if they leave their screen unlocked.
- Keep it light, make it fun, have a competition…
Step 3 – Make everyone a winner
Once the deadline is reached review the progress. Get people to talk about how it felt to be a protector of the business; consider the impact the new behaviour has had upon clients; publicise the ‘win’ and start planning your next change.
“When individuals become aware that how they choose to perceive and how they talk about their lives shapes their experience and their environment then they are empowered to take responsibility for creating their reality anew.” Developing Security Culture: 8 practical principles for effective change
Processes Will Change Behaviour – Lists Won’t
Lists of security best practice tips, whilst obviously beneficial, seem too abstract, too distant to prompt action. Sometimes the lists are endless, and it is easy to excuse the reader for thinking, ‘yeah I know I should do that, but I’ll just risk it’.
As security professionals we need to put aside our desire to ‘fix’ behaviours as we might do from a technology point of view, where we apply some new software or patch, and hey-presto the change penetrates through the whole system. People are not like that, we take a slower start, we need to be convinced. But start in the right way and the change can be limitless. And unlike a computer programme we don’t need to be ‘patched’ when the attack vector changes.
“Enhance my ability to think and therefore enhance my ability to respond.”
Here are a few behaviours you, or your company, could try to kick start change. Remember, only start with 1!
- Don’t let anyone you don’t know tailgate you into the building or any part of the building.
- Don’t care who asks – even if it’s IT – you’re not sharing your password with anyone.
- Maintain daily shredding of defunct documents.
- Keep the photocopy room clear.
- Remove all Post Its containing passwords from screens.
Layer 8 Lyd are committed to empowering individuals to protect their families and their business online. For more practical principles view our White Paper – Developing Security Culture: 8 practical principles for change.