So, if you’ve strayed into this mindset (or you are battling that mentality within your staff), how can you reset? Realistically, behavior change doesn’t happen immediately; it’s a process. Sure, it’s a little “touchy feely,” but it’s really about adopting a new outlook. Here are some tips for you and your team:
- Put yourself in your users’ shoes. IT security is not their forte. The threat landscape shifts rapidly, so expecting non-IT employees to keep up and be perfect is not only unrealistic, it’s unfair.
- Accept that your users can be taught new tricks. In your career, you’ve learned a lot of new things. So have the other employees in your organization. Many cybersecurity best practices aren’t rocket science, but they also aren’t innate. Learning won’t happen through osmosis, but it can happen through opportunity.
- Recognize that it takes time. Talking at your users once or twice a year and sending a few emails is not the recipe for an effective security awareness and training program. You did not learn about phishing prevention, mobile device security, password management techniques, and other best practices in a few minutes a few times a year. Allow your users the same courtesy of learning and improving over time.
- Allow for — and accept — that mistakes will happen. Spam filters don’t catch everything. Anti-virus software is never totally out in front of threats. Software patches aren’t always applied in time. Users won’t catch every phishing email or avoid every dangerous site. 0% vulnerability is unachievable on all fronts, so stop chasing zero and start focusing on risk reduction rather than risk elimination.
Bottom line: The only “us vs. them” mindset when it comes to cybersecurity should be “your organization vs. the attackers who would do you harm.” Put your end users in your corner, and help them gain the skills they need to make your security stronger. You are in this together, so do it together.