We often talk about data privacy regulations on the podcast. But this week, our conversation with James McQuiggan, Security Awareness Advocate at KnowBe4 Educator, talks about people instead of compliance and technology. He shares with us why changing your organization’s culture to create a security mindset is the most important step in cybersecurity. And then he provides some great practical tips that you can use as soon as the episode is over to move your organization to Phase 4 – you will learn what that means as well.
Here are a few highlights from this episode:
The Human Factor in Cybersecurity
During our chat, McQuiggan talks about how organizations must create a culture that focuses on the human element of cybersecurity, which creates a lot of security issues – data breaches, ransomware, phishing links, etc. He likens the attitude as being similar to people driving 82 mph on the interstate in a 70 mph zone because they can get away with it and are late for an appointment. He says that creating a culture with policies on how to behave – and also assessments to make sure people follow the rules – is a large part of cybersecurity. He shares an example of sending test phishing emails to employees (to see whether they will click or delete) to know if more education is needed. Another idea he shares is tracking the number of days since the last cybersecurity incident to create a culture of employees working together towards the goal.
What is the root cause of a data breaches?
“Working on the human layer takes care of a lot of security problems. When you think about it, what is the root cause of data breaches? How does ransomware get in? It’s either because you’ve got RDP open on your external firewall, an employee clicks links or unpatched equipment on your perimeter. But a lot of the time, it happens because someone gets an email – they click on a link or open an attachment that opens up your company for the bad guys.”
-James McQuiggan, Security Awareness Advocate at KnowBe4 Educator
Hanging a “Beware of Dog” Sign on Your Organization
McQuiggan compared securing your organization by taking proper steps such as installing a security system, motion sensors, and additional locks to deter criminals if there are burglaries in your neighborhood. Although he doesn’t have a dog (just three cats), he has a large “Beware of Dog” sign on his door, and a recording of dogs plays when someone rings his doorbell, for this exact reason. And if you are wondering, he doesn’t have attack cats – they run when strangers come in. Because he’s taken these security measures, potential criminals are likely to pass by his house – which should also be the goal of organizations.
Four pillars of data security
“There are four pillars of security for a company with security – all revolving around human culture. Phase 1 is ad hoc, and Phase 2 is something going on. In Phase 3, you have an automated assessment where people are following processes. However, when everyone is following security processes without thinking, and everything is automated on a human level, then you are in Phase 4 and security is part of the culture.”
-James McQuiggan, Security Awareness Advocate at KnowBe4 Educator
How He Would Spend $100 on Security
When asked how he would make his organization more secure with $100, McQuiggan said he would buy a handful to $10 gift cards from a local coffee place. The first 10 people who he saw demonstrating smart security behavior would get free coffee. These behaviors could be anything from keeping tailgaters from walking in the front door to using strong passwords. He says people are not only thrilled to get something when they do something positive, but word gets around to other employees – making taking security measures a carrot rather than a stick. By creating a positive culture through activities such as this, he sees companies creating a culture that promotes cybersecurity. And if your budget has extra left over for security – more than $100 – he shares other recommendations during the episode.
Build a security culture – not just a program
“You’ve got a security program, you’ve got the money, you’ve got the funding. But how do you get the culture bumped up? And that nudge is there for it.”
-James McQuiggan, Security Awareness Advocate at KnowBe4 Educator
Nudging Your Employees
Because changing the culture isn’t easy or quick, McQuiggan says that you need to look for ways to nudge your employees and organization into a security mindset. He shares the example of creating a password program with a bar that turns green as you add more strong elements, such as uppercase letters, symbols, and numbers. He has seen firsthand that by creating motivation to follow the security practices, people actually follow them more often.
Don’t make the mistake of thinking you don’t need to listen to the episode because you’ve read the recap. We just touched on a few of his great ideas and didn’t even mention the fun tidbits he shares at the end. He even admits to loving watching the “Lion King” musical.
