Cyber hygiene

Ignite the human firewall by transferring COVID-19 learnings to cyber security


June 2020


Lasse Frost

No matter if we look at pandemics or cybercrime, humans are the only link when responding to changes in the risk landscape. Handling new risks means that humans must behave differently from status quo. But what can we learn from COVID-19 about changing behaviour and making it stick that may be transferrable to igniting the human firewall against cybercrime?

So, may I ask you: “Did you wash your hands and sanitise more than 10 times yesterday?” If I had asked you in January, you would probably just have laughed in disbelief.

But in the face of the COVID-19 pandemic, all of this has changed. And the fact is that the longer we live and behave in a changed environment, the greater the likelihood that the good habits will stick1.

On the surface, hand hygiene and social distancing do not have much in common with IT security measures. However, when we take a closer look, they share at least four characteristics:

  • The threat is invisible, statistical and mostly targets “somebody else”.
  • The right behaviour is troublesome and time-consuming.
  • The gains of the right behaviour are intangible and lie in the future.
  • A single occasion of wrong behaviour from one person can affect many and have devastating consequences on a global scale.

In sum, this helps to explain why many of us are disinclined to follow official advice on security, how dangerous our disinclination can be and, above all, why we tend to respond sufficiently only in the face of acute crisis.

How did we get there?

I think we can gain some crucial learnings from the societal responses to COVID-19 on how to better ignite and engage the human firewall and fight cybercrime with lasting behaviour change.

Since I will primarily highlight examples from the Danish government’s response to the coronavirus crisis, it is important for me to underline that I am not blindly in favour of it. Likewise, I have no shares in what the history books will say about COVID-19.

This article only deals with one question: how can we become better at handling risk by making people the strongest link? Let us double-click on what we can learn from it.

#1 Highlight the burning platform

Without an inevitable consequence, a burning platform, change is unlikely to occur.

Regarding COVID-19, the Danish government succeeded in highlighting the burning platform early in the crisis by gathering a wide variety of authorities during prime time on national TV.

Standing together, the authorities stated that the nation was in an extraordinary situation that required an extraordinary response right away – even though we entered unchartered waters and mistakes would inevitably be made.

Interestingly, we also faced a serious cyber threat directly caused by the increase in the number of people working from home during the coronavirus crisis. The cyber threat increased dramatically following the outbreak of the pandemic, moving the Danish Centre for Cyber Security to issue a national warning in April.

There is no ceasefire during this time. Quite the opposite […] We must not relax our good security routines, because then we risk becoming easier targets.

The Danish Minister of Defence Trine Bramsen (7 April 2020)

A very reasonable concern. But, in hindsight, the response was inadequate. It implied that we were already in a state of cyber war before COVID-19, and it assumed that we already had “good security routines” in place.

Maybe the former held true. But looking at the facts, the latter was questionable.
In late 2019, after a series of global cyberattacks with Maersk, Demant and GlobalConnect among the victims, 50% of Danish small and medium-sized enterprises still lacked basic measures such as an IT security policy and guidelines for employees2.

By stating in a separate press conference that the cyber threat had increased but was substantially unchanged during COVID-19 and only required us to keep up existing efforts, the response did not inspire to organisational behaviour change in relation to cyber security.

In sum, this made the cyber threat seem like it was somehow unrelated and subordinated to the “main” crisis. And since there were no direct behavioural measures coupled to the statement (aside from a few general recommendations that were the same as before COVID-193), it was unlikely to have any significant effect on organisational security behaviour.

If the cyber threat is not directly coupled with the financial, commercial or even existential aspects of your organisation’s present situation, the burning platform is almost certainly not highlighted enough to ignite and engage the human firewall.

#2 The WHY must be crystal clear

When you are healthy, it is hard to imagine being sick.

In fact, it is so difficult that patients in treatment for depression stop taking their medication when they are recovering – even if they feel better precisely because they are taking the medication4.

The same goes for IT security. Many managers and employees tend to display a more relaxed behaviour because they feel it is somewhat overkill with all the precautions and procedural requirements and resource allocation for IT when “we haven't even been hit once” – even though they have avoided cyberattacks precisely because they are taking precautionary measures.

So, our own security and health are not enough motivation to follow directions and recommendations if they are resource-consuming or require a change of behaviour. After all, most of us are healthy and untouched by cybercrime. The great WHY of the required behaviour change must be crystal clear.

In recent months, the Danish authorities have repeated the message of “standing together – separately” and “exhibiting a social mindset”. We should not change behaviour for our own sake, but for those in need: the elderly and the sick.

Limiting the spread of infection became a shared responsibility. And it was taken to unprecedented levels when, in an extraordinary speech to the nation at the beginning of the crisis, Queen Margrethe directly called out the Danes who did not follow the instructions of the authorities.

It is mindless, and it is first and foremost ruthless.

HM Queen Margrethe II (17 March 2020)

Overall, the communication succeeded in equating the recommended behaviour with being seen by others as a good, decent and responsible member of the community.

This is a great lesson on how to communicate the great WHY of security risks in a way that motivates the individual to act accordingly. We should urge employees to exhibit secure behaviour – not for their own personal sake, but for their colleagues’. Cyber breaches spread faster than infectious diseases.

#3 Management must take the lead

If you want to create change with impact, you must lead by example. This is as true in cyber security as it is in public health.

In cyber security, executives must exhibit compliant behaviour themselves before they can expect the rest of the organisation to acknowledge the importance of following official guidelines and procedures.

No matter what one thinks of Prime Minister Mette Frederiksen and her handling of the coronavirus crisis, she has certainly – flanked by Kåre Mølbak (state epidemiologist) and Søren Brostrøm (the Danish Health Authority) – taken the lead in the Danish efforts to restrain the spreading of COVID-19.

This was emphasised during the many press conferences held at the Prime Minister's Office. Here, the representatives of the authorities consistently appeared with a two-metre distance.

The authorities’ personal compliance was further emphasised by the various media stories on how they were forced to cut their own hair5 or cancel their own 80th birthday6 due to the crisis.

It seems like cheap points. And maybe it is. But it underlines a crucial point.

When authorities/management set(s) out guidelines for the entire community/organisation to follow, they must practice what they preach. Otherwise, they undermine their own credibility and – more importantly – the cause they are fighting for.

Take for example the United Kingdom. Professor Neil Ferguson (state epidemiologist) had to resign in early May 2020 after it emerged that he had been visited by his lover during the lockdown he had initiated and referred to as “deadly serious”7.

The Danish and British experiences emphasise the importance of management taking the lead and in fact publicly showing that they themselves take the threat seriously and follow their own instructions. This applies in every risk context, in pandemics as well as in cyber contexts.

#4 Instructions must be concrete and unambiguous

When we face a severe threat like a global pandemic, the concept of common sense seems to disappear. We need answers – not guidelines. And we need them NOW.

Where can I go? How many can gather in a group? Exactly what distance should I keep? Do I have to put on a mouthpiece? What will be cancelled? When will changes take effect?

If the authorities had not endeavoured to give concrete and unambiguous instructions for the behaviour of all citizens and private and public actors in all contexts, the overall effect on the Danish society would most likely have been chaotic.

But in doing so, it is equally important to keep in mind to avoid negations. Always. And to instruct people WHAT to do instead of telling them WHAT NOT to do.

When Mette Frederiksen at the beginning of the crisis put on a grave face and said that there was NO reason to hoard, it had exactly the opposite effect. Already that same night, the news was full of yellow news banners with headlines such as “People storm the supermarkets after new coronavirus measures”8.

An example of the opposite is the division with white chalk of the green space at Islands Brygge in Copenhagen into even squares with space for 10 people in each square – a very concrete and unambiguous behaviour instruction.

In the field of cyber and information security, the challenge has been largely the same. We often give people vague advice (be aware of phishing) or tell them what NOT to do (do not share your passwords with others).

By doing that, we leave it up to the employee to determine what to do. That makes the organisation vulnerable. It is imperative that we give unambiguous and concrete instructions for action, which are not just about what NOT to do.

#5 Constructive feedback should be provided with regular intervals

Does it matter what I do as an individual? Does it make any difference whether I follow the official instructions? Questions like these may cause insecurity at an individual level and thus harm the motivation for behaving correctly in the face of risk.

No matter if we are facing risks in cyber security or in health, the overall impact of the individual’s compliance/non-compliance is very hard to determine. We can never say exactly how big a difference it makes to follow recommendations – neither on individual nor on organisational level.

But that does not mean that the behaviour of each citizen or employee is insignificant. Quite the contrary. Not only does the behaviour of a single person have an isolated impact on the risk, but far more significant, individual behaviour has a social consequence: I am much more likely to be compliant if I observe that you are and vice versa.

Therefore, if we are regularly reminded about each other’s behaviour in relation to the current situation and the common goal, we are more likely to exert compliant behaviour.

Here, once again, I would like to highlight the regular press conferences at the Prime Minister’s Office – but for another reason: the status on the infection pressure.

Sometimes, praise was given for compliant behaviour, and other times, extra efforts were called for. In a liberal democracy, this kind of clear-cut paternalism can easily backlash if it sounds too condescending. But so long as the guidance was objectively based on the current state of the affairs, it had the intended effect.

In security, we can leverage this insight by doing two things: highlight how much negative impact inaction will have on security (e.g. each day we wait before installing the latest update, the threat increases exponentially) and regularly provide a status on collective performance while recognising the employees for their effort – doing something that is not at all their core task to the benefit of everybody’s security.

#6 Healthy habits only happen in a healthy environment

We humans are hardwired to follow the “path of least resistance” – the least bumpy path – in our behaviour9. We save energy, both mentally and physically, wherever and whenever we can. For better or worse, we are creatures of habit:

The purpose of a habit is to remove that action from self-negotiation. You no longer spend energy deciding whether to do it. You just do it.

Kevin Kelly for The Technicum in 202010

The trick is to create an environment that makes the most appropriate behaviour the most natural choice for us.

During the coronavirus crisis, the proliferation of hand sanitisers everywhere in workplaces, supermarkets and other places has made it obvious to splash your hands regularly without actively thinking about it.

Just being there will be part of the habit. And if they are strategically placed, e.g. in the middle of an entrance, there is a strong social pressure to use them. You do not want to seem irresponsible to others.

The same applies to the removal of the item separators at the supermarket cash register and, in some places, the installation of plexiglass shields between you and the clerk so that you have to hold up the item to have it scanned.

Measures such as these make physical distance (the desired behaviour) the most obvious thing to do in the situation. And that is exactly what we also want to achieve with digital security behaviour.

Make it easy for the user to remember and create new habits by making the required action as simple and concrete as possible, giving regular reminders and changing the physical environment around it, e.g. by making it impossible to log in to important resources without access to the team password manager or by hanging up owls around the office11.

The longer we live and behave in a changed environment, the greater the likelihood that the good habits will stick. They will become a natural part of what you do every day, thereby redefining who you are. Only good habits separate the weakest link from a security hero.

Eager to ignite and engage your human firewall in your organisation? Feel free to reach out!