Companies usually call me in the uh-oh moments of a cyber security problem. They know they shoulda, coulda, and probably woulda taken care of those problems, but...it’s not until there’s a hack, a leak, or an audit that said whoa, better fix this! that they reach out. Most often when I talk to clients seeking help in the uh-oh stage they are feeling all the things that make people most unlikely to make positive changes. They’re scared, nervous, and a little ashamed because truly they know they needed to do something earlier, but they didn’t and now here we are. It reminds me of going to the dentist--my stomach fills with butterflies, I obsess about the two times I forgot to floss last month, or was it three and I break out in a cold sweat when the hygienist calls me back. Maybe you know the feeling.
A lot of this anxiety comes from a fear of the complexity of cyber security. It sounds so complicated and nebulous. And it’s why so many companies don’t take a hard look at their own cyber security needs until something not great happens. It just doesn’t feel accessible, and if something feels inaccessible and it’s scary and it’s nebulous...we humans prefer to ignore it. We live with so many micro-stressors in our lives that if we can put some of them in a drawer and pretend the problem away, it’s a perfectly understandable thing to do.
But here’s what I really want to share with you, because I think it might help take some of that fear out of cyber security. Take a guess as to what percentage of my time is actually devoted to solving scary, technical, security challenges?
Less than 15% of my billable hours have to do with anything technical or “cyber.” On average 85% of my time is spent solving people-problems.
People security is cyber security. And people security is a whole lot more accessible than cyber security. Don’t get me wrong, it’s not always an easy thing to transform people from security risks into security defenders--but I think it’s really helpful to know that if you want to be proactive about securing your networks and your communication environment but you feel overwhelmed and maybe a little scared--I can tell you with confidence that you actually understand way more than you imagine you do.
You know your team, you know your risks, and with a little guidance and technical support you’ll be able to know what you need to do to enhance your cyber security.
People should be your number one concern when you’re assessing your team’s cyber security needs. You certainly need to make sure you have the right technical tools, vendors and IT staff managing your networks, but that’s easy. Plug. and. Play. Once you’ve done that and even if you have a good CSO, your people are still your primary security concern. Consistency is a tenant of any security strategy. But people in the cyber world are really only consistent in clicking and connecting. When it comes to changing their passwords, finding time to install updates, remembering to turn on a VPN before accessing the unsecured wi-fi network in the coffee shop downstairs…people are woefully inconsistent. This is why the majority of malware deployed today preys not on network vulnerabilities but on people and their predictably consistent desire to click and connect.
If we can take away the anxiety and fear around big, scary CYBER SECURITY, and you can focus on what you already know--your people---what you already understand, and feel good about the steps you are taking to solve your security problems---this mindset shift actually makes it far more likely that you will find a way to consistently adopt safer communication habits. And it’s that consistency that can transform your people from security risks into security defenders.
The idea of a mindset shift might sound trivial when it comes to ransomware and DDoS attacks, but it’s actually one of the most powerful things you can do for the security of your company.
I listen. A LOT. And what I hear again and again, is that clients knew they had a problem before they experienced a cyber security crisis. They are always embarrassed and often a little ashamed that they didn’t do anything about it earlier. It’s actually that anxiety and shame that stops those clients from reaching out to us for proactive cyber security solutions. Take a deep breath and let go of that anxiety. It’s okay and there are people like me who won’t judge and are happy to listen whenever you’re ready to ask for help. And speaking of letting go of that anxiety...I really do need to schedule my dental cleaning...