It’s October, it’s Cybersecurity Awareness Month (CSAM), and with it the annual deluge of articles about phishing, passwords, protecting personal data and such like that will be hitting your inboxes very soon (if they have not already landed). The underlying message behind CSAM is the need to be cyber-vigilant and to educate the recipient on the dangers lurking in cyberspace.
It’s an incredibly important message. But I suspect that some of you, like me, may be fatigued at receiving what appear to be the same messages year after year. In fact, if you look back 10 years at the CSAM campaigns on StopThinkConnect.org, a joint government and industry initiative, you will notice they are close to identical to the 2022 campaign messages – use strong and unique passwords, check links before clicking … These are all are great messages and wise advice, both then and today (and I am positive they have an effect), but it’s clear that the issue is not being resolved, and so I can’t help asking:
Should we be looking to move the message to a ‘place’ that makes it an automatic human reaction?
Making the message stick
Hidden dangers, such as those on the internet, are often difficult to appreciate without some form of visualization. Take, for example, road safety: if there was no visualization – cars whizzing past you when you want to cross the road or no car wrecks left on the side of the road – then it could be challenging to teach someone road safety as a pedestrian or a driver.
Even when the danger is visual, shock tactics are often needed to reinforce the message and make sure it’s understood and heard. An example, sticking to the road safety topic, is the UK’s internationally recognized THINK! campaign, and to a certain degree even the 1975 Green Cross Code campaign. The THINK! campaign produced notable results in reducing issues related to drink driving, young driver safety and such like. How? By using shocking visualizations of the consequences; for example, a body through a windscreen due to the lack of seatbelt wearing.
The type of cyber-incidents that CSAM typically focuses on lack visual consequences by nature. Yet, the effects of suffering a cyber-incident can be devastating, especially on a personal level, and there is likely to be one consistent issue: a degradation in the mental health of the victim. Whether the issue is trolling, cyberbullying, fraud, identity theft, grooming, credential theft, or one of the many other variants of cyberthreats, there are likely to be consequences – mental health consequences that are hidden from visual identification.
For example, many victims of romance scams are extremely embarrassed to admit they’ve been duped. Yet in reality, talking to friends and family could be valuable on the path to dealing with the issue and recovering. A similar feeling may apply when someone clicks a phishing link and gives away their login credentials or personal information – there is likely to be a feeling of ‘how stupid was I!’.
Inculcating good cybersecurity habits
Safety as a default mindset, such as road safety, comes by instilling the consequences and understanding the dangers from a very early age, using guidance that is repetitive and comes from multiple sources.
Imagine the scenario where, by default, no one clicks a link in an email without hovering over it and visually inspecting the address, or the scenario where just a password is unacceptable and stronger authentication is always sought out and turned on. To achieve this level of instinctive protection, the habit would need to be taught and continually reinforced at an early age – in the same way a parent, and a wider circle of people, teach a child to cross the road.
The technology revolution that my generation, Generation X, has encountered has been life changing in nearly every aspect of living. We have seen the introduction of technology that has truly changed the way we communicate, behave, work, etc. Importantly, we have seen technology mature with safety and security mechanisms being added, and an evolution of cybersecurity – and unfortunately, also an evolution of cyberthreats.
As a generation, we could never have been taught certain elements of online safety by default, as the issue did not exist. However, this does not mean we should not educate the next generation to have the core default instincts and skills.
Run a Google search for ‘kids online safety’ and you will be awash with boundless amounts of content that discusses cyberbullying, inappropriate content, self-harm, identity theft, and many more important topics. Now search for the number one cyberthreat – it’s phishing, with stats claiming that 90% of cyber-incidents start with a phishing attack.
As someone who talks about cybersecurity to many businesses, I can confirm with high confidence that this is the number one issue for companies in regard to cybersecurity. If any of you have been mandated to take cybersecurity awareness training, then you will know a large section of this revolves around the identification of a phishing email and how to spot fraudulent links and avoid clicking on them.
If we want to solve the number one cybersecurity issue for businesses, then we need to have a generation on its path to the workplace that have a default mechanism instilled in them that stops them from just clicking on a link or handing over their credentials. A reaction where they immediately understand the danger, have a visualization of it, and take a safe approach.
To achieve this dream where phishing no longer exists, with no one ever being duped, would require a sea change in the use of technology at an early age, and in how we guide kids and what they are taught as a core fundamental skill.