• United States




Reaching the cybersecurity tipping point

Feb 22, 20174 mins
ComplianceInternet SecurityIT Skills

Are you creating conditions that lead your employees to commit themselves to solid security and privacy practices?

usb thumb flash drive stick
Credit: Thinkstock

Remember that moment when you really committed yourself to solid security and privacy practices? The moment when you committed to never clicking on a link you weren’t sure about, to always checking for badges on people coming in the door, to always using your password manager to create a complex password? If you do, you reached your “cybersecurity tipping point.”

For many, that moment has not yet come. And if you are reading this article, it might be your job to get your employees to hit that point. And you already know that the hard part is figuring out how.

+ Also on Network World: Security fatigue—or how I learned to overcome laziness and use a password manager +

It’d be great if we could schedule the tipping point for our employees. Maybe we’d put it at the end of our annual training, right when they click to acknowledge their acceptance of policies.

But humans don’t work that way. Every person hits their tipping point based on different prompts. In his book The Tipping Point, Malcolm Gladwell explained just how complicated it is to figure out how ideas or social movements reach a tipping point—let alone to figure out how to engineer a tipping point in the behavior of employees in your organization.

How to get employees to hit their cybersecurity tipping point

Complicated, yes, but not impossible. Case in point: last month’s celebration of Data Privacy Day, when a couple people in my company hit their cybersecurity tipping point. Here’s how it went down:

I arrived at work early and planted a file folder with (bogus) personal information in an upstairs conference room and a USB drive containing the same bogus data in the downstairs print room. I then sent out an all-hands email inviting people to celebrate Data Privacy Day by watching our video on incident reporting.

Then I waited.

And waited. I wanted to see if anyone would find the documents and report them. By noon, no one had, so I sent out a note to everyone that ended like this:

So folks, I planted two potential sources of privacy violation in plain view today, before you all arrived, and no one has reported anything yet. So keep your eyes out, and report any issues you see right away. There may be a little something in it for you.

Then it got fun. Within about 10 minutes, our copy editor was at my door with the USB drive.

“Did you plug it into your computer?” I asked.

“Heck no,” she said.

“Right on!” I replied, handing her a $25 Amazon gift card.

Hot on her tail were two guys from marketing who had found the file folder earlier in the day but had not gotten around to reporting it until just now. They got a hearty thanks and a small consolation prize.

But it didn’t stop there. Two guys from biz dev came down:

“Hey, what about this document marked confidential we found on the printer?”


An accounts payable person ran into me in the hall: She loved the video. And one of our salesmen ribbed me: “I finally got why you’re always harping on the things like Privacy Day and Security Awareness week.”

That’s right! Basically, all over the office, people had conversations about the kinds of data that should get reported, who to report it to, and what to do if the data wasn’t sensitive but shouldn’t be floating around.

Moving towards their cybersecurity tipping point

Nothing “went viral.” I don’t have any hard evidence that anyone hit a cybersecurity tipping point. But I believe we made some progress, and I’d encourage you to recognize the important role that special days like this play in building overall awareness in your population. They don’t even have to be special days; they can just be informal, mundane activities that open people’s eyes to the role that data protection plays in running your business.

You’ll never create a risk-aware culture by releasing annual training; you won’t even get there with quarterly training. You can’t schedule anybody’s cybersecurity tipping point, and no one has yet figured out how to make a video “go viral.” But if you consciously plan to create moments that engage people’s thinking about security and privacy throughout the year—and if you weave them into the very fabric of your culture—you stand a good chance of making data protection one of the central values of your company.

So let me ask you, how are you creating the conditions that lead your employees toward their cybersecurity tipping point?


Tom Pendergast, Ph.D., is the chief architect of MediaPro’s Adaptive Awareness Framework, a vision of how to analyze, plan, train and reinforce to build a comprehensive awareness program, with the goal of building a risk-aware culture. He is the author or editor of 26 books and reference collections. Dr. Pendergast has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro.

The opinions expressed in this blog are those of Tom Pendergast and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.