Reaching the Cybersecurity Tipping Point

On: March 9, 2017
Are you creating conditions that lead employees toward their cybersecurity tipping point—toward committing to solid security and privacy practices?

Originally posted on Network World

Remember that moment when you really committed yourself to solid security and privacy practices?

The moment when you committed to never clicking on a link you weren’t sure about, to always checking for badges on people coming in the door, to always using your password manager to create a complex password? If you do, you reached your “cybersecurity tipping point.”

For many, that moment has not yet come. And if you are reading this article, it might be your job to get your employees to hit that point. And, you already know that the hard part is figuring out how.

It’d be great if we could schedule the tipping point for our employees. Maybe we’d put it at the end of our annual training, right when they click to acknowledge their acceptance of policies.

But humans don’t work that way. Every person hits their tipping point based on different prompts. Malcolm Gladwell, in his book “The Tipping Point,” explained just how complicated it is to figure out how ideas or social movements reach a tipping point—let alone to figure out how to engineer a tipping point in the behavior of employees in your organization.

Reaching the Tipping Point

Complicated, yes, but not impossible. Case in point: January’s celebration of Data Privacy Day, when a couple people in my company hit their tipping point. Here’s how it went down:

I arrived at work early and planted a file folder with (bogus) personal information in an upstairs conference room and a USB drive containing the same bogus data in the downstairs print room. I then sent out an all-hands email inviting people to celebrate Data Privacy Day by watching our incident reporting educational video.

Then I waited.

And waited. I wanted to see if anyone would find the documents and report them. By noon no one had, so I sent out a note to everyone that ended like this:

So folks, I planted two potential sources of privacy violation in plain view today, before you all arrived, and no one has reported anything yet. So keep your eyes out, and report any issues you see right away. There may be a little something in it for you.

Then it got fun! Within about ten minutes, our copy editor was at my door with the USB drive. “Did you plug it into your computer?” I asked. “Heck no,” she said. “Right on!” I replied, handing her a $25 Amazon gift card. Hot on her tail were two guys from marketing, who had found the file folder earlier in the day but had not gotten around to reporting it until just now. They got a hearty thanks, and a small consolation prize.

But it didn’t stop there. Two guys from biz dev came down: “Hey, what about this document marked confidential we found on the printer?” Bingo! An Accounts Payable person ran into me in the hall: she loved the video. And one of our salesmen ribbed me: “I finally got why you’re always harping on the things like Privacy Day and Security Awareness week.”

That’s right! Basically, all over the office, people had conversations about the kinds of data that should get reported, who to report it to, and what to do if the data wasn’t sensitive, but also shouldn’t be floating around.

Making Progress

Nothing “went viral.” I don’t have any hard evidence that anyone hit a “cybersecurity tipping point.” But I believe we made some progress, and I’d encourage you to recognize the important role that “special days” like this play in building overall awareness in your population. They don’t even have to be special days, they can just be informal, mundane activities that open people’s eyes to the role that data protection plays in running your business.

You’ll never create a risk-aware culture by releasing annual training; you won’t even get there with quarterly training. You can’t schedule anybody’s cybersecurity tipping point, and nobody has yet figured out how to make a video “go viral” on demand. But if you consciously plan to create moments that engage people’s thinking about security and privacy throughout the year—and if you weave them into the very fabric of your culture—you stand a good chance of making data protection one of the central values of your company.

So let me ask you, how are you creating the conditions that lead your employees toward their cybersecurity tipping point?

Want to see how MediaPro can help you get your employees to the cybersecurity tipping point? Contact us today to learn more about or comprehensive approach to security awareness. 

Share this Article

Get in Touch

Related Articles

6 steps to set up a password manager and cure yourself of security fatigue.
How I Learned to Overcome Laziness and Use a Password Manager
If security fatigue is the disease we've all got, the question is how do we get over it? Read more from our own Tom Pendergast on Dark Reading.
Dark Reading: 4 Signs Your Users have Security Fatigue
Leading companies are recognizing that it’s OK to make cybersecurity awareness fun—what some are calling the next wave of security awareness.
The Next Wave for Cybersecurity Awareness
We wouldn't wish a ransomware attack on anyone. But as a recent anecdote has shown us, even a ransomware attack can have a silver lining.
The Silver Lining on a Ransomware Attack