Security Awareness Campaigns for Consumers
Last week I attended a workshop with representatives from the telecommunication industry about how to tackle consumer security awareness and culture. Here is a short write up about what I’ve learned:
Why the need for public or consumer security awareness, particularly in our region?
For some industries it's a compliance requirement but actually it’s just the right thing to do. Today half of the world’s mobile money accounts are registered in Sub-Saharan Africa generating 63% of the world’s mobile transaction value. Africa currently has about 500 million Internet users, which equates to just 38% of our population being connected.
This massive growth opportunity to connect more people is highly attractive to investors in fintech, mobile money, telecommunications, and sadly cybercriminals alike. Interpol's 2021 Africa Cyberthreat Report highlighted that social engineering is one of Africa’s top cyber threats, something that needs education and awareness to defeat.
Many of Africa’s new users will be first-time users with no prior digital experience, let alone understanding of the type of threats they may encounter. So it makes sense then that governments, as well as companies involved in connecting these people, have a social responsibility to improve their consumer’s digital literacy and security awareness.
But as anyone knows from trying to improve security cultures inside organizations, changing human behavior is not an easy task. At least on the inside we usually have some element of control. For starters, we can make training “compulsory”, send (annoying) reminders and if people still don’t participate, complain to their line managers. We can also frequently phish our users and use monitoring to identify high-risk behavior. None of this can legally or technically be applied to external people like customers though. So how could companies tackle this?
The importance of Behaviour Design in Cybersecurity Awareness
Many institutions have dedicated security awareness areas such as not to share your passwords or how to spot a phishing email on their websites. Unfortunately, this is not really cutting it. Even if the consumers end up on that site and lo behold are reading it, it does not mean they will follow the advice or change the way they do things.
The problem with awareness is that "awareness" itself does not automatically result in secure behavior.
Let’s look at the problem through the lens of behavior design. (Hat tip to my colleague Perry Carpenter here). BJ Fogg’s much-quoted behavior design model neatly outlines that behavior happens when three things come together at the same time:
Motivation, Ability, and a Prompt which could be a reminder or a nudge to do the behavior.
Fogg’s Behavior Model highlights three core motivators: Sensation, Anticipation, and Belonging. Each of these has two sides: pleasure/pain, hope/fear, acceptance/rejection. These core motivators apply to everyone; they are central to the human experience.
Let's try apply these to cyber security:
Tapping into people’s emotions by using visually appealing content, engaging with humour and story-based techniques, and activating positive sensations.
Fear can be a powerful motivator too. Show what could happen when. But too much of it can result in apathy and needs to be underpinned with the notion that it is simple to defend.
Using the power of leadership or celebrity to tell stories and invoke a sense of belonging.
Making it personally relevant by providing information on how to protect kids or family members
Humour is a great technique to grab people’s attention, evoke positive emotions and help with memory retention. However it has to be applied carefully and with a sensitivity to the audience's cultures, else it can backfire. Also, it shouldn’t be used too much, as it could result in the audience not taking the core message seriously enough.
BJ Fogg says that training people is hard work, and most people resist learning new things. That’s just how we are as humans: lazy. Give someone a tool or a resource that makes the behavior easier to do. A great example is a password manager. This is a tool that takes care of desired behaviour and simplifies the complexity of having to remember multiple different passwords.
So when we run campaigns for external users, we need to ask ourselves where are opportunities to provide tools that make it easier for them to stay safe? For example:
A list of or links to recommended tools such as password managers, anti-malware, home security, etc.
Simple how-to guides, 1-minute YouTube explainer videos
The concept of prompt has different names: cue, trigger, nudge, call to action, request, and so on and they all have the purpose to remind and tell people to "do it now". A good example are the password strengths meters reminding people to come up with better passwords as and when they create them.
When designing a customer awareness campaign, it’s important to consider where prompts may be used. Some ideas could be:
When users set up their phones or other gadets for the first time, remind them about the importance of setting up a passcode or changing default passwords
SMS or text-based notes about scams and reminding users not to click on any links
When people log on to your systems, remind them about the latest scams, keeping their digital identity safe, and how to set up a strong password
Scam alerts on social media about social media scams.
When it is possible to combine the three elements of motivation, ability and prompts, changing behaviour is a much more likely outcome than just spreading awareness content and hoping for a result.
What can we learn from the banks and financial service industry?
In preparation for the meeting I reached out to some of our financial services customers to find out what they have been doing in that field. A lot of our banks and insurance organizations have been doing public awareness for many years and have learnt quite a bit in the process.
Here is what they said:
To make the customer security awareness programs work, the bank’s securit team I spoke to, said they worked with their corporate communications team to design a 360 digital marketing campaign around their core messages, like they would do if as if they launched a new product. This includes using different channels for different audiences and purposes on social media, email marketing, multi-media (YouTube & TikTok), sponsored content, SEO, blog sites, pay per click ads that takes people to their dedicated security website, competitions and more.
It's an ongoing effort and can’t just be a once off event and requires a fair amount of budget too.
Themed campaigns work quite well on social media and allow for targeted messaging, for example combining “#Womensday” with ads about learning about how to protect themselves online.
Sharing content that engages emotions performed best and partnering with likable public figures like stand-up comedians helps grab people’s attention and educate them in an entertaining way. Here is a trailer on how we used South Africa's leading stand-up comedians a few years ago in our Standup4Security series.
Plan for negative feedback on social media such as people asking “what are you doing to prevent scams?” or others using the campaign as a platform to vent their frustration, so it’s important to have someone who can respond quickly and diplomatically.
For corporate clients or even the public, webinars and masterclasses using well-known experts or influencers work well. One of South Africa's banks ran a webinar with a well-known US hacker sharing his latest techniques.
Creating a family-relevant content library with educational videos and gamification was well received.
Establishing a team of thought leaders. AT&T for example does a nice job of that and frequently gets quoted by the media.
Sponsoring hackathons and cybersecurity competitions. This creates public media coverage and also helps in attracting new talent.
Including security awareness training in loyalty and customer awards or points programs
Including security awareness in a larger financial or digital literacy and other learning programs
Traditional channels such as radio and television were used to reach audiences that are not heavily digitally connected
Tap into existing customer engagement methods, even if still paper-based, such as monthly statements or digital, like client apps to add security awareness notes.
Whether we are trying to bring a message across to internal staff or customers, at the end of the day we are trying to encourage people to not only be aware but change their behavior accordingly. Keeping the principles of behavior design in mind when drafting communication campaigns helps to think creatively on how to achieve this. KnowBe4 has an off-the-shelf customer awareness library that can be used to simplify and kick start your campaign. One thing is for sure, customer security awareness, just like organizational security culture is not a once-off event, but something that needs persistency. A bit like flossing. But the effort will be worth it and will provide additional value to your customer base.