This guest blog post is authored by Anastasios Arampatzis
All companies have a built-in security culture. Sometimes this is a positive environment that promotes good security habits and never blames people for their mistakes. Some other times, the environment is negative, leaving the organization open to increased risks and threats, both internal and external. Transforming security culture is an ever-lasting endeavour that may take time and resources, but the results are tremendous both for the company and their employees.
Most companies develop their awareness-raising activities focusing solely on educating their staff. But as more and more people choose to work from home for whatever reasons – flexibility, opt for a digital nomadic lifestyle – and work / home borders blur, families become an essential part of the organisational security culture.
“In sociological terms, the family is an important social unit,” notes Lisa Forte, Partner at Red Goat Cyber Security. With all family members being digitally active even from a younger age, it makes perfect sense to include families in your activities to raise security awareness. Keeping your family and your loved ones “safe at home” you essentially promote “safety at work.” You show that you care not only about the success and profitability of your businesses, but also about your people and their families. And that is the best indication of a positive organisational culture.
“Companies that focus on awareness-raising for personal / family security help to influence a positive security mindset (both at home and at work) and show they care about their workforce as people, not just resources. I think that is why it is so powerful culturally, because it helps to reposition the security team from ‘the department of no’ to ‘the department that cares’,” Dr Jessica Barker told me the other day.
The benefits of engaging families in transforming your security culture
The importance of engaging your employees’ families into awareness-raising activities can only be understood by examining the benefits of this practice.
Create positive attitudes
Lance Spitzner, Senior Instructor at SANS Institute, explains that changing culture is about engaging people and creating positive attitudes, perceptions, and beliefs. Therefore, “when you involve families and how people can better secure their families, you are engaging them at a personal level, you are helping them! Not only are your employees far more likely to listen and engage, but they will have far more positive attitudes about cybersecurity and the security team!”
In fact, engaging families can have a positive ripple effect because people tend to trust information from those that they know sometimes more than those in authority. This is even more important nowadays that more and more people are at risk of being exploited online because of the pervasiveness of modern technology, social media, online gaming, and instant messaging apps.
Avoid falling for online scams
“Nowadays everyone is vulnerable as we’re all able to talk and be seen by anyone, anywhere, and within seconds,” says Jane Frankland, Founder of The Source. “So, the more people who know about security in a family the better. That way, family members are safer, and the odds of them falling for a scam, being defrauded, or being groomed by a paedophile lower.”
The last point is crucial, as scams in social media are increasing and becoming trickier. For example, WhatsApp’s Mum and Dad scam affects more and more people simply because scammers are playing into the emotional bonds between kids and their parents. At the same time, Instagram is a favourite platform for social engineers to lure their potential victims with fake investment schemes or fake giveaways and gifts.
Protect our families
The problem with addressing online harms and risks is that our brain is hardwired to better respond to “physical threats such as avoiding tigers lurking bushes,” notes Lisa Forte. “Yet the dangers to our safety, security and privacy are largely now online.” Building a security culture that involves our families is the best way “to protect this precious social unit,” Lisa explains.
“Each generation in our families are exposed to slightly different online threats so it is important that we are given the tools and understanding to protect the entire family from the threats that are now out there.” This is even more essential as family and work have come closer together since many people opt for hybrid work. “If we get into the habit of employing good security hygiene at home we are more likely to bring that mindset into the workplace,” adds Lisa Forte.
Create a safer society
Sitting down together with family members to discuss these kind of scams and risks creates a better understanding of the security environment, explains Fareedah Shaheed, Internet Safety Expert and CEO of Sekuva. The effect is enormous, not only for families, but also for our society. “More culturally aware security awareness campaigns, open and informative discussions on what security looks like in everyday life, and a greater understanding of security by society as a whole,” are among the benefits, explains Fareedah. “When we involve families in our security awareness efforts, we significantly expand our positive impact. And that’s no surprise because families are at the centre of any meaningful and lasting change we seek to make in society.”
However, the benefits of involving our families into security culture transformation activities and discussions can only be realised if we consider the social, mental, cultural background of our audience. Families are the perfect setting for this kind of discussions – family members share common stories, narratives, and experiences, making it easier to spread the message.
“At the end of the day, we are all human and working closely with families on their internet safety is the best reminder of it. And I firmly believe that if we do not build a security culture that involves families then we will never be able to truly protect ourselves and society from internet harm,” highlights Fareedah Shaheed.
Best practices for raising security awareness for the family
What is the best way of sharing security awareness with our families? Although each family is a unique organisation, with their distinct values and communication codes, there are some well-established practices to talk security to your mum, dad, brother, sister, and grandparents.
Keep it simple and fun
“Keep security simple,” is Lance Spitzner’s advice. In other words, avoid using too much tech jargon that will make you sound like a Greek (😊). “Far too often we overwhelm people with huge lists of dos and don’ts. Focus on the three basics that represent the greatest risks - phishing attacks, strong passwords and MFA, and automatic updating. By keeping things as simple as possible, people are far more likely to act securely,” explains Lance. For example, when discussing phishing, a good idea, says Lance, is to “stay away from all the different methods used and instead focus on the most common emotional triggers these attacks share, regardless of modality.”
Besides keeping your messaging simple, another piece of advice is to “make it fun, relevant and be cautious not to scare them off,” Lisa Forte says. The goal is not to build technophobic behaviour but to “give them the skills to be safe and the confidence to use online services.” This is equally important for kids as well as for older generations.
The Socratic method
Another best practice is to use real-life incidents and trigger the discussion based on these examples. The outcome is wonderful, and you will be amazed at how much everyone can learn by simply asking questions. That is in essence the Socratic method, which can help all family members to further develop their critical thinking.
Jane Frankland uses this method with her children, as well as with elder members of her family like her mother. However, it is important to be able to share the new knowledge with all members of the local society. “We need to ensure we are building awareness at a base level and targeting vulnerable groups, for example the young and the old,” argues Jane. “When I discuss cybercrime, fraud, and online dangers with my family, what I’ve found useful is when questions are asked or comments are made, that can highlight vulnerabilities, which can be corrected.”
The message in the bottle
With s many communication channels available, it is a pity not to take advantage of them and reach a wider audience. Just as everyone is unique, your message should also be unique. It is a sign of empathy to be as inclusive and diversified as possible. Do not exclude anyone, because everyone can be vulnerable.
“Help family members understand the risks relevant to them,” says Lisa Forte. “Older members of our family are more likely to be targeted with scams aimed at stealing money. Whereas our children need to be careful of online predators, privacy issues and cyberbullying according to recent studies. Make the message relevant to the audience!” For this message to become truly effective, you should practice what you preach. “If I tell my family to use a password manager and then neglect to do it myself how well will my next piece of advice go down do you think?”, Forte wonders.
The best way to effectively communicate security to as many as possible is to “educate across numerous media channels so more generations learn about the dangers,” says Jane Frankland. “That means getting information and stories into magazines, newspapers, TV, and radio as well as onto platforms like Netflix, Spotify, YouTube, Instagram, TikTok and Snapchat.”
“People will never forget how you made them feel”
Fareedah Shaheed proposes an approach that is aligned to the words of the great Maya Angelou:
“People will forget what you said, people will forget what you did, but people will never forget how you made them feel.”
“Our words are extremely powerful. Every thought we have is followed by a feeling,” explains Fareedah. “The words we use to educate on security need to be inviting, positive, and empowering. This does not mean that we omit the very real and terrifying impacts of bad internet safety habits. But this does mean that when we explain the dangers of not being safe online that we are also empowering them with the knowledge, tools, and mindset to keep up their security consistently.”
The second step is to build intellectual safety. We must remember that our purpose is not to shine like the all-knowing professional; it is rather to connect with our people, step into their shoes and engage in a meaningful conversation. “If we need to correct a bad security habit, we should remember this phrase: ‘connection before correction’,” explains Fareedah. “Teach to create a conversation and not to lecture. The audience needs to understand that internet safety is a collective effort, and they have something of value to offer as we work to build a great security culture.”
By cultivating an environment of emotional and intellectual safety you “build trust with your audience by connecting as a human being first,” further elaborates Fareedah. “Everyone would feel comfortable to share their experiences, ideas, and opinions. Once they know you are on their side, it’s easier to have in-depth conversations and transformations.”
We need to start building a truly people-centric approach.
If you would like to know more about how we at Cygenta work with clients to build a positive and proactive cyber security culture, check this out.
And don't forget to subscribe to our mailing list to be the first to hear our news and insights.
The guest author of this post, Anastasios Arampatzis, is a cyber security and data privacy enthusiast who works as a Content Writer for the IT Security Marketing Agency Bora - you can follow Anastasios on Twitter.