Lead by Knowledge, Not Fear
The headlines seem to come at us constantly – with one announcement after another of a significant data breach. The wording of these headlines is often jarring and followed by exclamation points to emphasize the “seriousness” of the breach. The latest came with the announcement of “Collection #1,” an aggregation of email addresses and passwords from thousands of data breaches that could be used for credential stuffing.
According to Troy Hunt’s blog post on the find:
- The unique email addresses totalled 772,904,991
- There are 21,222,975 unique passwords
- In total, there are 1,160,253,228 unique combinations of email addresses and passwords (coming from treating the password as case sensitive but the email address as not case sensitive)
Those numbers are staggering. They are also scary. Whenever we see these kinds of figures related to a data breach, our first reaction can be panic. You immediately want to know if YOUR email address and password have been compromised. You then start to worry about what it means for your personal data and sensitive information. Can someone hack into my bank account and steal all my money? Do they have access to my personal photos online? Can they get to my work products? What do I do?
The reaction many people have to this type of news is a reflection of their own failings as a protector of their “digital identity.” We know we should not have passwords that contain personal information, such as our partner’s or child’s or pet’s name. We know we should not reuse the same password across multiple web sites. We know we should not share our passwords with others. However, we still do it, usually for the sake of ease or expediency.
Some organizations may be tempted to use the announcement of a large breach as a “teachable moment” to scare their employees into following the standards related to email addresses and passwords. They seek to use the employee’s fear to make sure they are “scared straight.” However, we know that this strategy does not work. Why?
If the only time your employees hear from you in relation to cybersecurity awareness is when a breach occurs, they are trained to only react when something bad occurs. They will fail to be engaged in the real, day-to-day strategy of an information security mindset. You may also hasten “breach fatigue” in your employees. When we are constantly bombarded with the same hyped messaging in relation to data breaches, we become numb to them and avoid information related to them. That is the exact opposite of what we want.
So, what can we do? The best thing is to lead by knowledge, not fear.
- Make sure you are offering your employees security awareness training and information consistently. If your attitude is to provide the quickest and easiest training to “check the box,” you are missing one of the best opportunities to prepare your employees. Reinforcement of key security principles on a regular basis is essential to ensure employees know procedures and expectations. Equip them with the knowledge they need to be the best stewards for their, and your organization’s, digital identity.
- Provide employees with exercises to practice their knowledge. Phishing simulations are important, as this is a popular means for harvesting email and password combinations. Other social engineering scenarios, such as having an actor try to gain access to an area of the office that holds sensitive data, are also a good idea. You may want to do tabletop exercises to discuss responses to various security-related incidents. The more you can expose employees to real-life situations and practice proper responses, the more likely the knowledge will stick and they’ll be better equipped to respond when a problem does occur.
- Make it easier for employees to admit when they make a cybersecurity mistake. For many people, when we make a mistake, our instinct is to try and hide it. We do so for various reasons – shame, embarrassment and fear of consequences. However, the best time to learn of a potential problem is as early as possible in order to mitigate the fallout. Give your employees the knowledge they need to rectify their errors. Provide them with contact information for those in the organization who can help them address the situation quickly, without judgement.
- Make the connection for employees between their success as a security steward and the success of the organization. Employees should carry the knowledge of their impact at all times. Take a positive approach to this – an employee’s win is a win for the entire organization. They need to receive positive reinforcement when they are doing well. If you are only engaging with your employees from a security perspective when something has gone wrong, you are doing it wrong.
Announcements of data breaches give us a great opportunity to engage and educate our employees. However, they should not be the main (or only) times we speak about cyber security awareness, nor should they be used to frighten employees. We all respond best from a place of knowledge, not fear. Strong leadership in security awareness means providing employees with the skills and support they need to face their daily battles. By doing so, we can change their response to news of another breach from panic to confidence.