Category: Data Security

Keeping Security Awareness Relevant

There is a tried-and-true principle that helps guide a successful cybersecurity awareness program – until something matters to someone personally, they will never change. This speaks to an important part of all security awareness efforts – answering the question: why should they care. That’s why there is an ongoing need to keep your cybersecurity awareness program RELEVANT to the individuals in your organization.

Part 2 of this series: Keeping Security Awareness Relevant.

Practical Ways to Keep Your Program Relevant:

  • Make it personal. Tie all security awareness communiques to their personal application for the individuals in your organization.
  • Give people what they need to be successful. Don’t just tell them scary stories or things not to do. Provide practical, actionable guidance on what they can do in the face of ever-changing security threats.
  • Use current events – without driving fear. The news (industry-specific, regional, national, and international) is full of current events that can help drive awareness of the need for good security hygiene. The challenge is not to “scare people straight” with the information, but rather relate it to why security best practices should be on people’s mind as they do their job and live their lives.
  • Audience you message. Not everything matters to everyone the same way. Along these lines, consider who should send the message. Not everyone listens to the same people the same way. 
  • Get testimonials and stories from your organization. This brings the message of security awareness closer to home and closer to front of mind. 
  • Use specific stories that are relevant to organizations and their personnel. While some generic security guidance is helpful, tailoring the messages and information to organizations and their personnel gets their attention more quickly. 
  • Empower your people to respond. Remind them that EVERYONE is part of the organization’s security effort. Remind them regularly who to call, who to email, and what to do in the event of an incident or a security-related question. 
  • Deal with resistance. Invariably, there will be pushback on participation in a cybersecurity awareness program. This is most noticeable when you are asking people to DO something (like attend an event or consume learning content). Keep in mind that resistance is not bad. It is an indication of something. Listen to them and ask why.
  • FINALLY, the pièce de ré·sis·tance. Give them practical tips and useful information to help them in their personal lives. Give them advice for their home, travel, family, and finances. Give them best practices for protecting their identity and the things that matter in their lives. This will win the hearts of your people and not just the minds.

Next will be the final in the 3-Part series – Part 3: Keeping Security Awareness Sustainable.

Reminder: If you need help getting your security awareness efforts off the ground or achieving all three goals with your cybersecurity awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Alterity | Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of organizations across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a Chief Information Officer, Manager of Support & Training, and now a consultant, providing him a unique point of view and understanding of the challenges of introducing change in organizations. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Sustainable

A good and effective Cybersecurity Awareness Program is not a ‘set it and forget it’ kind of thing. It takes constant care and feeding. If it is important to the organization (and it is), to our clients (and it is), and to our people (and it must), then planning for its sustainability is critical.

Part 3 of this series: Keeping Security Awareness Sustainable.

Practical Ways to Keep Your Program Sustainable:

Let’s remind ourselves of the big picture of the Cybersecurity Awareness Program journey.

  • Stay the course. Don’t stop just because something doesn’t work as you expected.
  • The cybersecurity awareness program MUST be agreed to and modeled by LEADERSHIP. 
  • EQUIP Leadership (at all levels) to be successful in supporting Security Awareness.
  • Bake it into Onboarding. Start a new hire off with an understanding of the importance of security and security awareness at this organization.
  • Keep the tone POSITIVE. There’s only so much negative that people can take. Even negative stories/issues can reinforce the positive actions and awareness people need.
  • Deweaponize your Cybersecurity Awareness Program. If your program just catches people doing the wrong thing or just emphasizes what not to do, it will sour quickly in the minds of your people. 
  • Be mindful of who sends the message. It can’t just be the IT Department. Here are some suggestions:
    • Use multiple voices to get the message out.
    • Leverage top executives for messages or information that is organization-wide or strategic in nature.
    • Leverage direct supervisors to get more specific information to individuals on how this impacts them in their day-to-day work.
    • Use peer-to-peer messaging. It’s always good to hear from the “normal people” in the organization. People will often listen to their peers before they listen to IT or leadership.
    • Use outside experts to assist in your efforts. Sometimes, it takes an outside voice to get someone’s attention.
  • CLEARLY and REGULARLY state: Who to call/email; What to do if you have questions; What to do in the face of…
  • Use your metrics wisely.
    • What you do with metrics matters. Measure security awareness-related activities that show or measure changes in behavior (statistical and anecdotal). 
    • Continue to gather them. Metrics give you opportunities to tie changes in the program to trends in behaviors of your people.
  • Cadence is important. Security Awareness information can’t be a “once a year” thing. A sustainable program creates an environment that expects a steady flow of useful security information, education, and guidance. 
  • Leverage multiple learning opportunities or avenues:
    • On-demand content
    • Monthly topical emphases
    • Live Events
    • Be prepared to distribute “In the moment” communications and educational opportunities in the face of an incident that occurred, a new “Threat in the wild” for people to be aware of, or a testimonial of an organization or client event.
  • Invest in the program. It can’t be fully automated and requires time, attention, and resources.
    • Ask how big of a team the organization can afford or cannot afford.  
    • Know that you can’t do it all yourself.
    • Provide around-the-clock response.
    • Outsource elements of the program if needed.

Security Awareness is essential in today’s world. People are the target and the primary starting point for security incidents. Invest in a program that is Engaging, Relevant, and Sustainable. 

Reminder: If you need help getting your security awareness efforts off the ground or achieving all three goals with your cybersecurity awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Alterity | Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of organizations across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a Chief Information Officer, Manager of Support & Training, and now a consultant, providing him a unique point of view and understanding of the challenges of introducing change in organizations. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Engaging

Employee engaged in cybersecurity on his computer

There is no ‘one size fits all’ approach to Security Awareness. Since people are involved, it remains an ongoing challenge, but a worthy one. Not everyone is alike or cares about the same things, so it takes a multi-pronged, concerted effort, and a commitment to the journey to keep the program Engaging, Relevant, and Sustainable.

Part 1 of this series: Keeping Security Awareness Engaging.

Let’s start with a big picture reminder of the Cybersecurity Awareness Program journey.

Notice that I’m calling this a PROGRAM… not a project. There is a difference. This journey has no foreseeable end but has a meaningful impact on the organization. It takes effort, considered thought, and a willingness to adjust as things change to keep the PROGRAM vibrant and meaningful.

Now let’s get into some practical ways to keep your PROGRAM Engaging.

Practical Ways to Keep Your Program Engaging:

  • Engage THEM (the people in your organization). It seems like a simple start, but don’t assume you know what matters to them or what they are facing. In the words of Stephen Covey, ‘Seek first to understand, then to be understood.’ Here are some practical ways to engage the people in your organization:
    • Engage each group and role in the organization. 
    • LISTEN with the intent to understand the issues each group faces and what matters to them.
    • Meet them where they are by joining or being a part of existing groups and meetings. Don’t make them come to you. 
    • If you are not allowed to join some meetings, engage the leaders of each group to ASK them for information. Perhaps they may also be willing to convey questions or issues to the group and bring back feedback to you. 
    • Gather lessons learned, explanations, and opinions from people. Examples of feedback from staff at an organization:
      • Keep it short (less than 15 minutes). 
      • We don’t read more than the first line or so of a paragraph (so adjust your communications accordingly).
    • Educate your team to also LISTEN differently to information from people in the organization.
      • Example: a Helpdesk staff made note and complained that someone asked them about a Gmail security question. When in fact, THIS IS GOOD. It means the caller was asking about Security hygiene issue and best practices. This was a teaching moment for the Helpdesk staff.
  • Start from a place of trust
    • The goal is NOT to catch people doing wrong. Don’t set traps and weaponize the results.
    • Always convey that the goal of the program is to raise people’s security awareness and acumen …not send them to detention. If people think you are out to catch them making mistakes …they will stop listening.
    • Your users want to do the right thing. Ask yourself, “how can you help?”
    • Learn how to tell a negative story about your organization in a positive way.
      • Things happen. Be open and transparent when addressing issues that the organization experiences.
      • How you respond to an incident carries a lot of weight both inside and outside the organization.
      • Reuse and leverage the story to promote good security best practices.
  • Delivery / Engagement Tips:
    • Keep regular messaging short, concise, and consistent.
    • Remember the “Rule of 5-7” – people need to hear something 5-7 times before they realize they should pay attention. There’s more than just one way of communicating. Email is not your only avenue.
    • Keep the messages immersive, but not disruptive – meaning get to the point and move on. People need to know three things: why they should care, what they need to know, and what they need to do. 
    • Think “Yes, AND …” there is no “one size fits all” approach. 
    • Equip Leadership – Help Leadership be successful in supporting Security Awareness by giving them talking points, notifying them of Security Awareness activities ahead of time, etc.
    • Always look for creative ideas. Don’t think it all rests on your creativity.
      • Crowd source from your organization.
      • Ask peers.
      • Leverage industry groups.
      • Don’t be afraid to ask for help (Marketing Department, trusted business partners, etc.).
    • Some Additional Ideas to keep people engaged:
      • Drawings / raffles
      • Steady flow of practical tips for home and personal security
      • Make it a part of the organization’s HR review process
      • Tie it to the organization’s and individual’s ethical behavior

Next in the series will be Part 2: Keeping Security Awareness Relevant followed by Part 3: Keeping Security Awareness Sustainable. If you need help getting your security awareness efforts off the ground or achieving all three of the above-mentioned goals with your security awareness program, we’re here to help.

About the Author

Kenny Leckie

Alterity | Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of organizations across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a Chief Information Officer, Manager of Support & Training, and now a consultant, providing him a unique point of view and understanding of the challenges of introducing change in organizations. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

The Perfect Password: 5 Easy Tips

What steps are you taking to protect data—both personal and work-related—more efficiently? One of the best ways to put cybersecurity first is by developing strong passwords and better security habits. Your passwords are your first and best defense against threat actors. Here are some tips you can implement today!

1. Status: It is Complicated

Think of your favorite heist movie. For this piece, we are thinking of The Italian Job. In it, Charlize Theron plays the team’s safecracker. She used several tools and skills to guess the combination to the safe, switching and turning the dial until she found the right sequence of numbers to get inside. Our passwords are like the combination on a safe. The more complicated the combination, the longer it will take Charlize Theron to get in, or in this case, a threat actor. Check out the chart below.

It looks like a lot, but we are here to break it all down for you!

A simple password may be easy to remember, but it also shortens the time it takes to guess the right “combination.” If you can use more than just numbers, such as varying letter cases and characters, it will take longer for threat actors to crack the code. So, that is your first tip: keep it complicated, not simple.

2. Case by Case

If you find it hard to keep track of numbers for your passwords, consider using upper- and lowercase letters. This is not a foolproof plan, but it can make the threat actors’ efforts more challenging. Regardless, you should update your passwords regularly. Just a heads up: relying on upper- and lowercase letters alone may require you to do so more often.

3. The Numbers do not Lie

If you have started adding upper- and lowercase letters to your passwords, rethink how you can use numbers, too. Try to avoid any numbers that are important to you, like adding your birthday or an anniversary at the end of your password.

4. A Character’s Good Reputation

Now that you have a few security boosters in your passwords, consider using more characters, such as @, #, $, %, !, and more. They are all waiting at the top of your keyboard to add an extra layer of defense to your passwords. Special characters are powerhouses when it comes to building strong passwords.

5. Phrasing!

Finally, bring all these strategies together. You can use any combination of letter cases, numbers, and special characters to spell out one word, or you can get really creative and create a “passphrase.” A passphrase is a short sentence comprised of all the elements covered above. Phrases such as 13@kEm0re8reaD or j0G1m!le are examples of passphrases. They can be reminders, goals, or items from your to-do list. While passphrases stand above the rest, make sure they are not too obvious or relevant to your personal life, such as specific hobbies, favorite movies, or loved ones.

YOU HAVE CRACKED THE PASSWORD CODE!

By creating strong passwords, you are going the extra mile to put cybersecurity best practices first. The more complicated the better—just make sure you leave no physical reminders behind, and that you update your passwords regularly. Multi-factor authentication (or MFA) is another excellent feature you can apply to your devices. When you start implementing safe and modern password best practices into your day-to-day life, you protect your organization, your data, and yourself!

You can learn more about cybersecurity practices and management by checking out our cybersecurity awareness program! 

Tips to Protect Data When You Travel

Getting ready to take a trip? As you prepare your packing list, take a minute to add one more crucial item that you simply can’t leave home without data security.

According to experts, holidays and long weekends are prime times for threat actors to execute all kinds of malware attacks—everything from ransomware to social engineering, phishing, and beyond. That’s because long weekends and holidays give hackers more time to corrupt files and devices before anyone can respond, or even notice.  Here are some tips to help keep your personal and professional data safe as you plan your next getaway.

1. “Password Protected”

Be sure your mobile devices are safe and secure. Disable lock screen notifications and enable multi-factor authentication so that you—and only you!—have access to your data. You can also apply these authentication measures to your more sensitive accounts like banking and travel booking websites. If you must bring work on the road, consider asking your organization to provide a loaner device for travel, especially if you’re concerned about data security. Don’t leave home without outfitting your devices with remote-wipe features. That way, if you do bring your personal device, you’ll have a backup plan in case it’s stolen or compromised.

2. “You Are an Island”

It may take a few extra steps, but bringing backup power supplies for your batteries and devices means you can depend on yourself, not your surroundings, to keep your devices going. This also means your belongings are always close to you, instead of plugged into a wall at the airport or the quirky coffee shop you found. If you don’t have backup power supplies, research where you’re going and find secure spots along the way. Make sure all your devices are charged before you leave and only use them when necessary. Don’t connect your devices to other unknown devices, such as that free USB drive you picked up at the airport kiosk—this is an easy way for threat actors to send malware to you.

3. “The Public Eye”

While you’re traveling, you may be tempted to visit the business center of your hotel to check your emails or log in to the Wi-Fi connection at the bookstore you found. Most of these connections are generally secure but watch out for the word “public” when it comes to Wi-Fi channels. A public connection is always a security red flag because everyone can access it, which means the wrong person in the business center at the right time could really sabotage your trip. Try to avoid these kinds of connections altogether or take the necessary steps and use extreme caution if you decide to use them.

4. “Home Sweet Home”

Traveling is great, but it also can be a rush to come home. You want to share your adventures and relive the journey you just experienced. Naturally, you want to get online and start posting pictures and seeing friends. But wait—now that you are home, take a few minutes to change those PINs and passwords. Even if you took good care of your data and devices while you were away, there’s a chance someone picked up your login information. It never hurts to give yourself that extra layer of protection.

Everyone deserves time away to relax and rejuvenate. Let’s use it as a launching pad for a day at the beach, not a data breach!