The significance of cyber security awareness in an unstable geopolitical climate.
A few weeks ago, during a 14-hour trip back to Denmark from the United States I found plenty of time to reflect on the importance of culture in communicating effective cyber awareness in large organizations. I rediscovered the cultural nuances that come with conducting business in the states and reflected that board members and CXOs also experience the challenge of communicating cyber security awareness, cyber risk, and geopolitical risk.
Let me begin with cyber security and geopolitics and why those two subjects belong together:
Geopolitics and cyber awareness
As the pandemic demonstrated, all businesses, to varying degrees, are interconnected and dependent on global supply chains due to the complexity and interdependence of the modern global economy. Furthermore, businesses are heavily dependent on shared infrastructure, which includes the physical, digital, and social systems that support and enable economic activities. These shared infrastructures play a critical role in facilitating business operations, growth, and overall success.
Recent geopolitical instability is making the management of cyber risks more challenging for organizations. It necessitates a more adaptive and proactive approach to cyber security, one that recognizes the evolving threat landscape and the interconnectedness of global events with digital vulnerabilities.
Businesses and organizations must consider geopolitical contexts when developing their cyber security strategies and awareness campaigns, as it can significantly impact the threat landscape in which they operate. A good cyber security awareness campaign is one, in which the specific regional cyber risks that the business or its third-party partners are present in are also communicated.
Adapting to these geopolitical challenges requires a comprehensive and flexible approach to cyber security. Small adjustments in the communication and strategy of cyber security awareness can lead to large positively effective changes. Below, I list four valuable insights that I believe can impart effective changes, boost an organization's cyber awareness communication strategy, and foster a cyber security culture that engages across all levels from the board to key stakeholders.
Keep it simple
Large corporations often have complex organizational structures, making the journey to cyber resilience overwhelming as each risk demands a distinct analysis and potential investment of additional resources. Despite this, flexibility is still possible. Not all risks
require analytic rigor or subsequent investment from the senior management. Immediate hazards like icy sidewalks or commonplace cyber incidents like phishing emails can be addressed at lower management levels. Moreover, complex cyber risks and complicated political events can be distilled into simple actionable messages. Employees do not need to have a comprehensive understanding of the political situation, nuanced social history, or a timeline of events to react to regional instability. They just need to understand, which regions they are working with and the key related cyber risks. For example, the recent war in Ukraine is likely to increase the risk for ransomware from threat actors who are motivated to raise funds for Russia’s ongoing invasion.
Craft a connection
To promote change effectively, it is crucial to communicate and use language and terms that resonate with your employees. Sometimes small changes can have a big impact. For example, the Director of Human Resources at a major financial institution determined that the term ‘cyber security’ was not connecting with employees. The messaging was changed to ‘protect our data and systems’, an objective that team members could clearly understand. The director later explained; ‘In our world, data is king, everyone understands the need to protect our data’.
Moreover, geopolitical issues can be highly complex and off putting to those not well-versed in politics. To build awareness on cyber risks it is important to use relatable and comprehensible terms. Avoid political language, terminology, and acronyms and try to describe events in down-to-earth terms, which your people understand and can relate to.
Security is a team effort
Change can come from anywhere. It does not have to be the head of IT or the CISO responsible for cyber security alone, rather there are benefits to assigning a non-technical executive or local manager to drive the actions required for behavioral change and fostering values, attitudes, and beliefs. Non-technical managers may have a more down-to-earth understanding of the audience which can lead to creative but effective campaigns that connect with non-technical employees, such as leveraging famous movie titles to convey essential cyber security messages, or integrated entertaining icons and popular memes to training programs to boost engagement and stimulate meaningful discussions among the workforce.
The contrary is also true. A recent focus on the importance of cyber risk at a board level has led towards integrating more cyber security competence within Senior Management. Looking ahead, Gartner predicts that by 2026, 70% of boards will include at least one member with cyber security experience.1
Practice makes perfect I would highly encourage organizations to practice Crisis Management exercises annually. These exercises should be realistic scenarios that highlight what could happen in the event of a real data breach. Too often we have seen, that the first time a company has thought about a cyber attack was during a cyber attack. Create plausible exercises for different regions or departments to train those on the front lines.
In conclusion, the landscape of cyber security is evolving rapidly, driven by the growing influence of geopolitical factors and the increasing interconnectivity of businesses worldwide. The imperative to raise cyber awareness in organizations, particularly in the face of increased geopolitical instability, cannot be overstated.
Businesses must factor geopolitical contexts into their cyber security strategies and awareness campaigns, recognizing the direct influence these contexts can have on the threat landscape they navigate.
I hope, my insights shared here can offer a blueprint for organizations looking to bolster their cyber awareness communication strategies. The journey to cyber resilience and heightened awareness may be complex, but as we've seen, it is certainly navigable with the right approach, commitment, and adaptability.
1 Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024