Something quite unique is taking place right now. A confluence of two unrelated events and news stories that together may have enough of an impact to help influence security awareness and behaviour. I’m firstly talking about the rapidly approaching May 25th deadline for the enforcement of the General Data Protection Regulation, otherwise known as GDPR. We’re also talking about the evolving story of data leaked from facebook on a massive scale and used to analyse, and some would contend, unduly influence voter behaviour. Facebook, GDPR and security awareness are creating a perfect storm.
The GDPR Deadline Looms
GDPR is everywhere right now. While in the last year or so it’s fair to assume that most large organisations had their GDPR and security awareness plans well underway, of late it feels like there is now a wave of panic setting in among smaller organisations. Much of this, I suspect, is driven by “fear-mongering” by vendors dangling the threat of huge fines for non-compliance should the ICO ever come knocking.
As part of their compliance efforts, many organisations have decided it prudent to seek “re-consent” from their email lists. This is leading to an inbox avalanche of GDPR related messages to almost every person in the western world. The consequence is that GDPR and security awareness, in general, is fast becoming a discussion at cocktail parties – and when was the last time you remember that happening to a piece of EU legislation?
Then there’s the current debacle over the leaked private data of tens of millions of users of Facebook, allegedly being used to analyse and then influence the outcomes of elections, both in the US and in the UK.
It’s hard to recall a time when data privacy has been so top of mind for so many people, regardless of their walk of life.
What Does That Mean For GDPR and Security Awareness?
So what does that mean for those of us engaged in the pursuit of trying to positively influence security awareness, behaviour and culture? Well, you might argue that there is a risk that those of us that seek to positively influence behaviour using the same deep understanding of the human psyche as the “bad guys” risk being tarred with the same brush.
This kind of white hat/ black hat debate is not a new one in the security industry. Surely though the best defence from any sort of leading-edge technique is to get one step ahead in understanding them and then employing them in your own defence? And, it’s not like we have a choice. Whether it’s GDPR, ISO27001 or PCI DSS (as examples) you are considering they all stipulate the need for training and security awareness in the legislation.
In my view, as an industry, we’re way behind in this area, with only a handful of academic and individuals really making significant progress in “weaponising” cultural insights for the purposes of good.
Luckily we’re already a number of years down this road at Marmalade Box. We’ve been deepening our understanding and applying such insights for more than six years. The culmination of this research is our unique SABC framework enabling you to put what we’ve learned into practice.
With security and privacy issues so top of mind at present surely there’s never been a better time to get up to speed and apply these techniques in your own GDPR and security awareness training?