Idiots All Around Me
I was debating whether to call this post “Will we ever secure ourselves against idiocy?”. However online safety and keeping ourselves, loved ones and friends clued up on the tips of how to stay safe online seemed a little more appropriate.
Albert Einstein is largely credited (some say incorrectly) with the quote of “Insanity is doing the same thing over and over and expecting a different outcome”. Now whether he said this or not is not the point of this post, but rather, the intent of the quote itself (you see why I pondered the original title above).
Tried and Tested
I see “tried and tested” techniques of educating people in how to stay safe online focus mostly on trying to help users understand the threats and spot them before they fall foul of them. This approach for me doesn’t work as we are not trying to build more security experts. Yet I see time and again these approaches being rolled out in organisations and not eradicating the issue of human error (because we never will). If anything the statistics on the common denominator of attacks are growing in favour of the “human” being the favoured point of entry.
So back to Einstein, does this mean we are all idiots?
My counter is a resounding “NO!” (sorry for shouting). Does it also mean that we can be “secured” or (dare I say it as I despise the term) become a “human firewall” for our organisations? I think the answers to these are also “no” (not shouting here) and “really, you marketing f*ckwit” respectively.
So this should then pose a follow on question of, should we stop trying to achieve this “how to stay safe online” goal and just educate people about security to keep them “aware”?
The Tricky Bit
Now here is where the tricky bit comes in. If making someone “aware” is the goal, then I suppose you can crack on regardless without really tipping the needle (do what you’ve always done, get what you’ve always got) on what this is doing for your organisation or the user and their extended network. Doing it this way may provide a convert, who then becomes an advocate and is “immune” to future approaches, but it won’t necessarily mean a well educated and motivated workforce.
What though if your goal is to change user behaviour of the wider set of your “awareness” targets and not only arm them with the skills to spot the threat and tell tale signs of attacks, but also give them the “Spidey” sense to spot future ones of the same ilk? For this I think we’re gonna need a bigger boat (you don’t need a boat, and no prizes for guessing the film!).
What Can We Do?
So what can we do? Where can we take awareness to keep ourselves and others safer online? And where’s the coffee you promised?
Firstly, the cuppa and chocky bicky’s are for you to provide, I’m not made of Nespresso and McVities Chocolate Digestives you know!
Secondly what we can do is start engaging our users in the ways they enjoy learning and the approaches we use to help with this. This approach needs to be relevant to their role and organisational idioms and get them discussing the topics and content amongst their colleagues. Even better if you can transfer these topics to the home, as this allows the learning to be taught and discussed further outside the workplace so it can be ingrained in their wider life.
Thirdly to change awareness and increase safety a behavioural change is needed and here we must start to question the hype of marketing literature on the topic who’s sole raison d’être is to shift more units/courses/subscriptions.
People aren’t stupid, we will always make mistakes and we should stop thinking of ourselves as some form of security backstop when the expensive technology or fancy six sigmas processes your organisation have purchased have let your company down (AGAIN!).
We are all only one click away from notoriety. We all have the capacity for falling foul of a well structured email, text or other such clickbait approach. The attackers know this and they know that it is a simple anthropological output of being a human in a functioning society.
I started this post with a quote that is sometimes wrongly attributed and I will finish with one, PT Barnum is oft quoted as saying “there’s a sucker born every minute”. Whilst this is difficult to argue against based on the amount of human error involved in cyber attacks, surely it’s time to try a little harder to make the education of those “suckers” (I count myself as one too) more engaging and relevant so as to make online safety more about behavioural change and less about some cookie cutter content that is read/listened to and then forgotten instantly?
For examples on how we do this sign up here for a free account on our platform or this article for online safety for kids by safety net kids is useful . And stay tuned for more blogs on how to stay safe online.