Are you creating conditions that lead your employees to commit themselves to solid security and privacy practices? Credit: Thinkstock Remember that moment when you really committed yourself to solid security and privacy practices? The moment when you committed to never clicking on a link you weren’t sure about, to always checking for badges on people coming in the door, to always using your password manager to create a complex password? If you do, you reached your “cybersecurity tipping point.”For many, that moment has not yet come. And if you are reading this article, it might be your job to get your employees to hit that point. And you already know that the hard part is figuring out how.+ Also on Network World: Security fatigue—or how I learned to overcome laziness and use a password manager +It’d be great if we could schedule the tipping point for our employees. Maybe we’d put it at the end of our annual training, right when they click to acknowledge their acceptance of policies.But humans don’t work that way. Every person hits their tipping point based on different prompts. In his book The Tipping Point, Malcolm Gladwell explained just how complicated it is to figure out how ideas or social movements reach a tipping point—let alone to figure out how to engineer a tipping point in the behavior of employees in your organization. How to get employees to hit their cybersecurity tipping pointComplicated, yes, but not impossible. Case in point: last month’s celebration of Data Privacy Day, when a couple people in my company hit their cybersecurity tipping point. Here’s how it went down:I arrived at work early and planted a file folder with (bogus) personal information in an upstairs conference room and a USB drive containing the same bogus data in the downstairs print room. I then sent out an all-hands email inviting people to celebrate Data Privacy Day by watching our video on incident reporting. Then I waited.And waited. I wanted to see if anyone would find the documents and report them. By noon, no one had, so I sent out a note to everyone that ended like this:So folks, I planted two potential sources of privacy violation in plain view today, before you all arrived, and no one has reported anything yet. So keep your eyes out, and report any issues you see right away. There may be a little something in it for you.Then it got fun. Within about 10 minutes, our copy editor was at my door with the USB drive.“Did you plug it into your computer?” I asked.“Heck no,” she said.“Right on!” I replied, handing her a $25 Amazon gift card. Hot on her tail were two guys from marketing who had found the file folder earlier in the day but had not gotten around to reporting it until just now. They got a hearty thanks and a small consolation prize.But it didn’t stop there. Two guys from biz dev came down:“Hey, what about this document marked confidential we found on the printer?”Bingo! An accounts payable person ran into me in the hall: She loved the video. And one of our salesmen ribbed me: “I finally got why you’re always harping on the things like Privacy Day and Security Awareness week.”That’s right! Basically, all over the office, people had conversations about the kinds of data that should get reported, who to report it to, and what to do if the data wasn’t sensitive but shouldn’t be floating around.Moving towards their cybersecurity tipping pointNothing “went viral.” I don’t have any hard evidence that anyone hit a cybersecurity tipping point. But I believe we made some progress, and I’d encourage you to recognize the important role that special days like this play in building overall awareness in your population. They don’t even have to be special days; they can just be informal, mundane activities that open people’s eyes to the role that data protection plays in running your business.You’ll never create a risk-aware culture by releasing annual training; you won’t even get there with quarterly training. You can’t schedule anybody’s cybersecurity tipping point, and no one has yet figured out how to make a video “go viral.” But if you consciously plan to create moments that engage people’s thinking about security and privacy throughout the year—and if you weave them into the very fabric of your culture—you stand a good chance of making data protection one of the central values of your company.So let me ask you, how are you creating the conditions that lead your employees toward their cybersecurity tipping point? Related content opinion 5 employee awareness predictions for 2018 Employee security and privacy awareness trends we expect to see this year. By Tom Pendergast Jan 16, 2018 7 mins Technology Industry IT Skills Data and Information Security opinion Is all fair in simulated phishing? We’ve all heard the saying “all is fair in love and war,” but what about when it comes to simulated phishing? By Tom Pendergast Nov 16, 2017 6 mins Phishing Technology Industry Email Clients opinion The silver lining on the Equifax breach If we seize this moment to get people more engaged in understanding and acting upon information security and protection, it may turn out that the Equifax breach was a good thing after all. By Tom Pendergast Oct 13, 2017 4 mins Data Breach Technology Industry Data and Information Security opinion A note to mom about cybersecurity If you could get the people you know to commit to doing just a few things right around cybersecurity, what would they be? By Tom Pendergast Sep 18, 2017 6 mins Passwords Technology Industry Social Engineering Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe