Cybersecurity is the defining problem of the digital era. Data breaches, ransomware, IP theft and increasingly frequent dangerous attacks on networks are – as everyone knows – getting worse, not better. The risks to economic prosperity, social cohesion and national security have been mounting for years. We’re now at the point when the President of the United States had to put companies across the country on “high-risk” alert against a Russian cyber-attack – his most prominent warning yet.
So why are average citizens and technology users paying so little attention? One answer is that they are receiving insufficient and inadequate communication around cybersecurity. What would it take for the tech companies who make and sell the tools and solutions that we use every day to improve cybersecurity communications that would, in turn, improve outcomes for users? The simple answer is competition: just as technology firms compete to offer the most secure software at the lowest prices, communications around cybersecurity should be a competitive imperative for tech companies.
The need for better cyber defenses is clear, but that extends far beyond improving technical tools and defenses. Cyber-attackers are strategic, focusing their efforts on the weakest link in the chain. From a security perspective, that vulnerability is almost always a human being making a subjective decision about their next click, login or download. So, as difficult and frustrating as it is sometimes to change how people use technology to improve cybersecurity, we simply must make progress on modifying human behaviors by communicating cybersecurity risks more effectively. That responsibility falls properly on the big tech providers, which have the widest attack surfaces, the most influence and the largest customer bases.
At its core, cybersecurity depends on communication. Outdated security policies that are poorly communicated are equally as dangerous as substandard software code and other flawed technical features. Changing human behavior in digital security falls on the technology companies themselves, which need to improve explaining digital security issues to their employees and customers. In turn, tech companies can help employees and customers understand what they can do to make things better and why they need to be active participants in helping to defend themselves, our shared data and digital infrastructure.
"Outdated security policies that are poorly communicated are equally as dangerous as substandard software code and other flawed technical features"
Instead of competing on the lowest price or claims of best service, how do we incentivize service vendors, cloud providers, device manufacturers and other relevant technology firms to pay more attention to how they communicate with users around security? Rules and regulations? Possibly. Improving how companies communicate and train on security? Absolutely. Shaping a marketplace where tech companies compete more intensively for business on the technical and training elements of security? Definitely.
It would be convenient if regulators could identify a set of best practices, almost like the National Institute of Standards and Technology’s technical standards, and then require compliance with those standards, forcing all providers to do it one way. The challenge is that current ‘best practices’ aren’t nearly good enough. If you use a computer at work, you’ve likely received emails from your IT team telling you what to do and not to do, you may have been forced to take an online or even in-person cybersecurity training course, and you might have even been subjected to internal testing of ‘fake attacks’ engineered by your own security people to test your reactions and teach a lesson that way. Many of these communications have a ‘naming and shaming’ component, designed to make people whom did the wrong thing feel bad or even stupid. Other communications you’ve received probably seem overly technical, using phrases like ‘access to admin or root privileges’ or ‘lateral movement across the network.’
Rather than imposing “tech speak” or naming and shaming, companies should rely on simple explanations that break down modest and doable actions into bite-sized chunks to improve digital security habits over the long term. We know from the COVID-19 pandemic that people are more likely to respond well to appeals to community interest—protecting one’s family, friends, and coworkers. Similarly, good cybersecurity hygiene protects the individual and organization they work for, as well as anyone else whose contact information is in their database.
Now, envision a marketplace where tech companies compete more intensively for business on the technical and training elements of security as well as how it’s communicated to employees and customers. For example, cloud service providers should compete not only on price, value-add services, ease of migration and integration, and other common features but directly based on security and prioritizing security communications. With communication practices as a competitive imperative, we will see more experimentation with communications strategies that more effectively motivate users to improve their digital habits over time, resulting in a more secure digital ecosystem.
Competition is the bedrock of innovation. A robust competitive marketplace where customers can vote with their feet easily and move to providers who produce better security – technical and non-technical – should be the next big goal for cybersecurity and will benefit our entire society. Tying market success more closely to clear communication and practical cybersecurity outcomes is a sure way to get action from big tech companies and improve our cybersecurity ecosystem as a whole.