cybersecurity (self-)awareness: how we can do better

Cybersecurity (Self-)Awareness: How We Can Do Better

Cybercrime is a huge and – let’s face it – unsolved problem. And what better time to reflect on how we can improve our defenses than Cybersecurity Awareness Month?

And yes, when we say “we,” we’re talking about us IT professionals – the experts you call when you need help. There are a number of ways we can improve on the cybersecurity front, and it’s time we took a good hard look in the mirror.

We’re not talking about technical shortcomings or faulty tools either; we’re talking about communication. It’s our job as IT pros to communicate the importance of cybersecurity to the individuals and businesses we serve, and we can – and will – do better. Here’s how…

Information Overload

Ever find your eyes glazed over while reading an IT article or sitting through a training program? We don’t blame you. Cybersecurity can be boring, confusing, and overwhelming. Let’s quickly run through some common cyber threats. Deep breath…

You’ve got phishing, vishing, smishing, malware, spyware, adware, ransomware, keylogging, DDoS attacks, man-in-the-middle attacks, IoT attacks, social engineering, data breaches, zero-day exploits, botnets…

You probably want us to just shut up. We get it – it’s a lot to take in! In fact, it’s too much to take in.

Make no mistake, these are all important topics – each threat a serious one – but it’s hard to digest so much information, let alone act on it. As IT pros, we tend to get excited when talking about cyber threats and our ways of stopping them – it’s our job, and we love it!

But sometimes, we need to take a breath, and start with simple concepts that users can easily grasp and implement, building up to more complex ideas and solutions over time.

How We Can Do Better

Going forward, we pledge to do a better job focusing on key topics one at a time, providing engaging training material aimed at all levels of expertise. We will also strive to work with you, our clients, at your own pace, starting where you are and going from there.

Sloppy Statistics

Statistics are a powerful tool. However, a lot of the statistics you see thrown around in cybersecurity discussions and education materials lack context and specificity, undermining their impact.

Let’s look at two specific statistics:

As of 2024, the average cost of a data breach in the United States amounted to 9.36 million U.S. dollars.

Since 2020 there have been 128 reported hacking incidents that have impacted over 13 million patients in the Texas healthcare industry

The first statistic has its place, but it’s a little misleading if given without qualification. Think about it. Most small and medium-sized businesses don’t have anywhere close to that much money to lose. Clearly, the average has been skewed by data breaches on massive corporations that cost hundreds of millions.

We’ve shared statistics like this in the hopes that it will spur clients into action, but all too often, it has the opposite effect. You know something’s fishy when the ‘average’ exceeds your total revenue several times over. As a result, you tune it out, or worse yet, lose trust in the person or organization who shared that information with you.

How We Can Do Better

As IT professionals, we need to do a better job of sharing statistics with more well-defined parameters and context – like the one above about hacking incidents in the Texas healthcare industry. Going forward, we will strive to share stats like this, as they are more likely to compel action and drive awareness, which is, after all, the end game in all of this.

Blaming the End User

A common phrase in cybersecurity is user negligence, often cited as one of the biggest cybersecurity threats. While it’s an important issue, the term doesn’t exactly cast users in a flattering light.

This isn’t to say any company intends to insult its clients or users with this label – we IT folks are nice! However, the term has an accusatory tone, and, more importantly, it can mask a deeper and more pressing issue: a lack of awareness.

Labeling a user as “negligent” implies some level of awareness; after all, you must be aware of something to neglect it (you wouldn’t accuse someone of neglecting a stray cat, but you could reasonably accuse someone of neglecting their own pet). And the reality is, most users aren’t thinking about cybersecurity when they sit down to work. They can’t neglect what they’re not even thinking about – what they’re not aware of.

How We Can Do Better

As IT pros, we need to stop blaming users for negligence, and start helping users develop awareness. We need to figure out how to gets users thinking about threats when they open emails, receive links, share information with AI, etc. This will involve efforts on a lot of fronts, including using clearer language to explain things, and providing more concrete and real-life examples of cyber threats in action. Training you to think about cyber risks in your day-to-day life is our job, and we’re committed to finding ways to do it better.

Doom and Gloom

It’s hard not to feel a bit gloomy when talking cybersecurity. The tech world is swarming with threats, and things have only been getting worse. That said, while a dose of doom is understandable, constant pessimism can lead to three serious issues: complete avoidance, total panic, and active ignoring.

Avoidance

We wouldn’t blame anyone for reading about the latest security threats and thinking, “No, thank you. I’ll let my IT department handle that.” It’s tempting to let your smart IT folks handle all things cybersecurity, so you can think about, well, anything else.

Panic

Consider someone inundated with terrifying news and alarming statistics. When they receive a phishing email, they may panic and respond impulsively (i.e., click the dreaded link). It doesn’t help that hackers will often make their requests sound urgent to heighten that sense of panic. Our job as IT pros is to help you keep your cool, not feed the panic that hackers depend on to be successful.

Ignoring

On the flipside, some choose to respond to the constant doom and gloom discourse by simply tuning it out. When IT pros are constantly sounding the alarm bells, a boy-who-cried-wolf effect can occur, with users assuming those tech people are exaggerating or being dramatic (sharing misleading stats doesn’t help our case here!).

How We Can Do Better

The solution lies in a level-headed approach to discussing security threats. We need to move away from flashy headlines and repetitive scare tactics. IT teams should inform users calmly and clearly, emphasizing the importance of awareness.

Over-Promising

At the opposite end of the spectrum, we have the over-promisers. While some companies spread doom and gloom, others swing to the extreme of unwarranted optimism – or even be both in the same breath.

“Have an issue? Leave it to us!”

“Confused? Give us a call and we’ll handle it!”

You’ve likely heard it before – an IT provider’s promise to make your cybersecurity woes disappear at the wave of a hand.

While having IT support is invaluable, promising clients they’ll never have to worry about cybercrime is a dangerous disservice. That’s because there’s nothing riskier – and more appealing to hackers – than a passive and unengaged user.

How We Can Do Better

For effective cybersecurity, everyone needs to be on the same page, from end users to IT pros. That’s why, going forward, we will strive to avoid over-promising, and instead, make it clear that the war on cybercrime is a collective effort. We can do a lot to keep you safe, but without your cooperation, our efforts won’t be enough.

Cybersecurity Isn’t Perfect

There’s one universal truth in cybersecurity, and it’s a scary thing for us IT professionals to admit: there’s no such thing as 100% security (see – no more over-promising!). But it needs to be said because this unfortunate fact is precisely why awareness is so crucial. Hackers will always find new ways to hack. Security tools will have glitches, and users will occasionally slip up. The only guarantee in cybersecurity is that there are no guarantees.

Instead of facing this uncertainty with fear, false promises, or overwhelming information, we need to acknowledge it, confront it together, and strive to keep everyone informed.

We’re in this together, and together, we’re stronger.