Wannacry and NotPetya are two recent security events that also became top news stories. I would say that these serve as wake up calls, but the reality is that we have had wake-up calls before, and people hit the snooze button.
In the past we had incidents like Heartbleed, Chernobyl and I Love You that all became household names. You would think that people would have become aware of the importance of anti-malware and patching systems. And then there were the major data breaches, like Target and OPM, which should have created improvements in overall security programs. Clearly, though, Wannacry and NotPetya have proven that lessons have gone unlearned.
While a large part of the blame is on corporate IT teams, there is still substantial work security awareness programs can do to reduce risk. There is, in fact, tremendous opportunity created by these devastating attacks.
Whenever a major attack becomes a top news headline, security programs should obviously examine if they are vulnerable to the attack or otherwise impacted. At the same time, or very quickly after, they should consider what the users are hearing and what they want them to take away from the headlines.
With this in mind, you need to ask yourself the following questions to figure out how to take advantage of the misfortunes of others to improve your users’ behaviors.
1. Is the narrative wrong?
When you look at the information available to the public, you need to consider whether it is accurate. It can either give people a false sense of security or create a sense of fear that creates inaction. You need to understand how your users perceive the attack so you can figure out if you need to change their understanding or further it.
2. How does it impact users?
Before you take any actions, you need to determine how users are impacted by the events. Are they at risk? Are there actions they need to take? Is there a lesson to be learned? Does it impact the users at home or work? Does it impact their family?
3. Does the information make people believe that the issue does not impact them?
Whether or not an issue or attack does impact users, you need to figure out if they believe that the issue has any impact on them. If they do not, they will ignore what might be an important event, or at least ignore any awareness efforts you put forward that relate to the issue.
4. What do you want people to know about the attacks?
Whether or not the incident involves enterprise IT specifically or is purely a user-related incident, there is always a lesson to impart to users. For example, even though Heartbleed involved server fixes and users could do nothing to fix the situation, it was a great opportunity to demonstrate the importance of regular password changes. In a similar vein, Wannacry was a great opportunity to tell users about the importance of applying patches to their home and work computers. There is always a lesson to be learned, whether it affects them directly or not.
Putting it to use
Once you have the points you want to focus on, you then have to determine the best way to promote those points. There are three steps to changing user behavior: Make them aware of the problem, make them aware of the solution to the problem, and motivate them to implement the solution. Motivation is the most critical step.
When you have an incident of some form that is a news headline, it is providing more motivation than you can hope for. Rarely do news stories focus on the simple solutions. They focus on the scary problem. That is incredible motivation that you need to build upon.
It is then time to figure out what communication methods are available to you and will be the most effective. As the news reports are timely and likely short lived, it is important to reach out as quickly as possible. If there are common landing pages on intranets, you should consider making use of them. If there are newsletters that are actually read by users, attempt to get content into them. If people will read email blasts, try to send out such a blast.
The goal is to improve user awareness and, ultimately, change user behavior by taking advantage of the hype created by security related events. Every security awareness program should be proactive in making the most out of learning opportunities with focused efforts that provide motivation, especially when those opportunities are being promoted by the news media. It’s time to stop hitting the snooze button on these wake-up calls.