The healthiest way to approach keeping people safe from online threats is to talk about misjudgements and errors – and to do so in a way that lets them understand that almost everyone has made a cybersecurity mistake at some point.
Encouraging discussion around the threats people have faced can go a long way to helping others becoming more aware of what to look out for – and to avoid falling victim to cyber criminals themselves.
Even the most seasoned information security professional will have made mistakes at some point, so it isn't right that everyone else should be chastised or even punished if they click on a phishing link, whether for real or during a company phishing test.
"One of my favourite things I like to ask big groups of people in information security is 'Can anyone in here guarantee that they've never clicked the bad link?' In a room of hundreds of people, no one will raise their hand," Margaret Cunningham, principal research scientist at Forcepoint, told ZDNet Security Update.
"And to me that says no matter what your expertise, no matter how long you've been thinking about security, links, phishing social engineering, whatever – you can still be the person who makes the mistake."
It's not unusual for companies to attempt to run cybersecurity awareness campaigns around shame and fear by punishing or embarrassing employees who fail a phishing test – but according to Cunningham, this attitude doesn't help people get to grips with what, for many, is a subject that's still difficult to understand.
"Helping people understand the risk and also communicating about that risk is difficult, especially if your organistional culture is sort of punitive – like 'you make a mistake, see you later' – that's not actually going to help you very much," she said.
If anything, people should be encouraged to talk about the online security mistakes they've made, because not only could it help others be more aware of potential cyber threats, it demonstrates how everyone can make mistakes and that there's nothing for people to be ashamed of if they do fall victim to phishing, social engineering or other forms of attack.
"There's a huge organisational value to talking about dumb things that we've done – things that we've fallen for, the mistakes that we've made," Cunningham explained.
"It makes a big difference to talk about it, even if people give you the eye roll and an 'I know,' well, let's just remind ourselves," she added.
MORE ON CYBERSECURITY
- This phishing email promises you a bonus - but actually delivers this Windows trojan malware
- How phishing attacks evade traditional security defenses
- Phishing: These are the most common techniques used to attack your PC
- No, you can't buy a COVID vaccine online, so ignore that ad, text or email
- Three billion phishing emails are sent every day. But one change could make life much harder for scammers