Wannacry and NotPetya are two recent security events that also became top news stories. I would say that these serve as wake up calls, but the reality is that we have had wake-up calls before, and people hit the snooze button.
In the past we had incidents like Heartbleed, Chernobyl and I Love You that all became household names. You would think that people would have become aware of the importance of anti-malware and patching systems. And then there were the major data breaches, like Target and OPM, which should have created improvements in overall security programs. Clearly, though, Wannacry and NotPetya have proven that lessons have gone unlearned.
While a large part of the blame is on corporate IT teams, there is still substantial work security awareness programs can do to reduce risk. There is, in fact, tremendous opportunity created by these devastating attacks.
Whenever a major attack becomes a top news headline, security programs should obviously examine if they are vulnerable to the attack or otherwise impacted. At the same time, or very quickly after, they should consider what the users are hearing and what they want them to take away from the headlines.
With this in mind, you need to ask yourself the following questions to figure out how to take advantage of the misfortunes of others to improve your users’ behaviors.
1. Is the narrative wrong?
When you look at the information available to the public, you need to consider whether it is accurate. It can either give people a false sense of security or create a sense of fear that creates inaction. You need to understand how your users perceive the attack so you can figure out if you need to change their understanding or further it.
2. How does it impact users?
Before you take any actions, you need to determine how users are impacted by the events. Are they at risk? Are there actions they need to take? Is there a lesson to be learned? Does it impact the users at home or work? Does it impact their family?
3. Does the information make people believe that the issue does not impact them?
Whether or not an issue or attack does impact users, you need to figure out if they believe that the issue has any impact on them. If they do not, they will ignore what might be an important event, or at least ignore any awareness efforts you put forward that relate to the issue.
4. What do you want people to know about the attacks?
Whether or not the incident involves enterprise IT specifically or is purely a user-related incident, there is always a lesson to impart to users. For example, even though Heartbleed involved server fixes and users could do nothing to fix the situation, it was a great opportunity to demonstrate the importance of regular password changes. In a similar vein, Wannacry was a great opportunity to tell users about the importance of applying patches to their home and work computers. There is always a lesson to be learned, whether it affects them directly or not.
Sign up for CIO Asia eNewsletters.