Keep reading
This is some text inside of a div block
That’s right. It’s not the only thing you and your team (and, for that matter, family) should do, but if you do only one (sort of two) things, it’s the one-two punch of a strong password and multi-factor authentication. A 99% return is a huge gain for something so simple. Despite its unwieldy name, it’s also incredibly simple.
Here’s a kicker, though: cybercriminals only need one way in, and attacks on passwords are relentless. Microsoft has reported that they deflect more than 1,000 password attacks per second, and that more than 99.9% of successfully breached accounts in password attacks don’t have MFA enabled.1
While more than 60% of companies with over 10,000 employees require some form of MFA to access digital accounts, these requirements aren’t always comprehensive for every digital tool these companies use, and it remains the case that some services still don’t offer it. Further complicating the situation is that work decidedly doesn’t happen only at work these days. Home devices introduce vulnerabilities when employees (or their family) don’t use MFA, share devices, or reuse passwords.
Simply getting people across the finish line and enabling MFA for work and home accounts (paired with strong, unique passwords) is basically a set-it-and-forget-it, highly effective win for cybersecurity teams. How to deal with resistance, uncertainty about what sounds like a complex solution, or it’ll never happen to me thinking? One option is to use creative marketing-style campaigns to “default” employees into using this simple but highly effective combo.
With more powerful computers being used for both good and ill, shorter passwords can be cracked almost at will. Unfortunately, the problem is only going to get worse with the possible rise of quantum computing (which is expected to be powerful enough to crack the encryption itself, making encrypted passwords moot… but we’re not there yet).
For now, strong passwords are still important, and when paired with MFA (see above), they’re incredibly effective (though without MFA, a seriously motivated, highly skilled hacker could likely infiltrate even a strong password). There are a few keys to keep in mind, even when using sufficiently long and complex passwords:
One simple tool that can greatly simplify the password hustle is a password manager. Much like MFA, password managers are actually very simple tools and make life easier. But they don’t sound like it, and adoption itself is the biggest hurdle. Like MFA, an engaging campaign that guides your audience into using a password manager (rather than simply telling them they should because it’s good for them) is an effective solution that will stick. It’s harder to stop using a password manager once you’ve started than it is to keep using one. Easy peasy.
Users get frustrated and stop trying entirely. Password managers are highly recommended to help mitigate the pain points users experience with long and complex passwords.
If you’ve made headway and actually get users using password managers and MFA, you probably shouldn’t require frequent password updates. While password managers and MFA are low effort once they’re in place, requiring passwords to be updated frequently has been shown to decrease morale, boost resistance to cybersecurity best practices as they become perceived as burdensome, and promote reusing passwords and saving them in inappropriate places (written down, in browsers, etc.).
Focus instead on strong, unique passwords that are long enough, and on being notified when stolen passwords are found on the web (a common feature of password managers and of some other services like banks and Google, but it requires being turned on, which you should do and encourage others to do as well).
We mention this one a lot at Sans Serif, but it’s worth repeating: tech solutions and the vigilance of cybersecurity teams alone aren’t enough to stop cybercrime. The “human element” in cybersecurity is pervasive and notoriously difficult to address. Every sophisticated, high-powered tech solution in the world, implemented perfectly, can’t account for a poor or misinformed decision by an employee with a company device or account.
So how do you target change-averse, busy, convenience-seeking human beings? Creative marketing-style campaigning can be a supercharged tool for shaping perception and nudging behavior. Like well-executed brand marketing that can transform casual customers into brand champions, a truly compelling internal cybersecurity marketing campaign can transform workers from digital security dilettantes into cybersecurity champions.
In the long term, creating cybersecurity champions should always be the goal—and to be cybersecurity champions ourselves. At Sans Serif, that’s a part of our work culture. You might think we were cybersecurity professionals!
We’ve done a number of projects that don’t only target workday behavior; they also encourage that behavior to extend to home and family life as well. But why should that matter as an employer or an organization’s cybersecurity team?
At least two reasons:
Besides, it’s also just a good thing to do. For employees, it’s practically a fringe benefit—an opportunity to develop a crucial life skill in the modern world. It’s a mission-critical skill that can benefit employees at work and at home. And it yields huge benefits for employers and employees alike when employees deploy top-notch cybersecurity habits in both places.
To get the maximum benefit of a cybersecurity campaign, making it a wrap-around effort can harden cyber defenses and bolster the chance of avoiding major cybersecurity failures. It also benefits families, kids, schools, and even seniors, who experience unique cyber vulnerabilities. It creates a more secure world for us all while delivering concrete value for businesses.
As one of our premier and unique areas of expertise—there aren’t many, if any, other creative agencies taking on this incredibly important challenge with a level of knowledge and experience like we have—cybersecurity is something we take seriously and love to work on. It’s a true communication challenge that, when tackled effectively, yields tangible benefits for clients and society.
Curious to learn more about how we can boost your cyber defenses where it matters most? Already know you need a creative cybersecurity campaign partner? Don’t be afraid to reach out!
