It’s often said that humans are the weakest link in cybersecurity. Indeed, I’d have a hard time arguing that a computer that was sealed in a box, untouched by human hand, poses much of a security risk. But a computer that is unused has no purpose. It behooves security practitioners to get smarter about how we teach people to use those machines so that both humans and computers can work together to safely accomplish greater things.

This month is National Cybersecurity Awareness Month, which is an event designed around educating people on how to avoid contributing to security emergencies. If you’re working in cybersecurity, this subject is probably never far from your mind. But as an industry, we still have a lot to learn about how to educate people effectively.

Here are a few ways you can tweak your existing security awareness programs to be more effective.

Go where the people are

Most of us have a pretty “one size fits all” approach to security awareness, which is not the most effective way to go about things. Different jobs necessarily have different functions and have different needs. Malware analysts, for example, would have a very hard time doing their job if they followed standard security advice. It’s just assumed that they are an exception to the usual rules, and they’re given environments that allow them to do their job safely.

But they aren’t the only ones in most organizations whose normal daily functionality requires them to do things that seem to fly in the face of traditional security hygiene recommendations. People working in HR and Accounting are often required to open unexpected attachments, which is a big security risk when it’s done without adequate security precautions. People whose jobs require “unsafe” behavior will ignore our advice, and likely other (Read more...)