Yesterday the White House and the National Cyber Security Alliance announced a national campaign promoting strong authentication, called Lock Down Your Login. I was fortunate enough to be part of the planning committee that helped design this campaign and wanted to share why I feel this is a big deal.
- Focus: The key to changing behaviors is you have to focus on as few behaviors as possible. Focus on too many and you have cognitive overload, a fancy way of saying people are so overwhelmed they forget everything. The White House and NCSA did a fantastic job of focusing on just one, key behavior - getting people to enable strong authentication, primarily two-step verification. Focusing on just one behavior is really hard, especially for the security community who often feel compelled to mitigate all risks. However, they picked the right behavior as time and time again we see weak passwords or poorly secured accounts as the primary cause of breaches. The 2016 Verizon DBIR even goes so far as stating two-step verification is the number one step organizations can take to protect themselves against breaches.
- Communication: The second thing they did right is understand awareness is not a technical challenge but a communications challenge. The key to changing peoples' behavior is engaging them. So what did NCSA do? They reached out to and built relationships with several advertising agencies, people who specialize in engaging people and changing their behaviors. Time and time again I've seen awareness programs fail because the people leading them had no experience or expertise in communication. The NCSA took the opposite approach, they partnered with world experts in this.
- Collaboration: The White House understood they were not the one that should be communicating this message. This is a community effort, it involves the help of numerous organizations. As such the White House tapped the NCSA to coordinate the efforts of hundreds of organizations to spread the word, such as Facebook, Intel, Mastercard, and USAA. This is the same approach organizations would take using "Security Ambassadors" but taken to a national level. It's highly effective and you scale your ability to reach others, embedding yourself through the organization (or in this case throughout the nation). To learn more about this concept, I highly recommend you read John Kotter's most recent book - Accelerate.
This is a great example of how a national security awareness campaign should be done. Keep it simple, focus on engaging people, and do it through collaboration with others. In a future blog I'll do an interview with the folks from NCSA so we can all learn how they pulled this off and lessons learned. You think reaching 350 people is hard? Try reaching 350 million people.