Cyber security awareness in a crisis context

With COVID-19 pandemic, we are living an unprecedented situation of major crisis.

Many employees are then working from home. They have to adapt to a new, perhaps temporary, working organization.

More isolated, they find themselves having to adapt in a particularly anxiety-provoking context. They are worried about their health and their loved ones. They also often worry about their jobs and their financial future. This situation, where apprehension and frustration dominate, is not the most favorable for employees to care about cybersecurity.

Cybercriminals, on the other hand, have understood what they can do with this situation. Attacks continue to multiply. For example, publisher Barracuda Networks reports a 667% increase in phishing attacks in March. We know that a phishing attack is the most effective if it relies on fear and urgency. The current situation is therefore a breeding ground for scams and attacks of all types. Attacks exploiting this fear of illness take a variety of forms. The attackers pretend to be, for example:

  • Health authorities to collect your sensitive personal information,
  • Charities claiming to collect donations to fight the epidemic and thus rob you,
  • Authority issuing exit permissions which are infected word files,
  • People who hold information and seek to monetize it or even exercise threatening blackmail,
  • People able to sell you masks, tests or all kinds of equipment,

We can clearly see that we have to cope with a dilemma and an equation that is difficult to solve. The need for awareness has never been greater, while reaching users and getting messages across have never been more difficult.

When people have to deal with such a stressful situation, theory teaches us than they have to go through three circles:

  • Circle of fear,
  • Circle of learning,
  • Circle of transformation.

Thus, our awareness-raising actions, coordinated with the company’s HR actions, must be accompanied by an evolution of employees through these different circles. Only by leaving the first circle can we make these awareness-raising actions as effective as possible.

It is likely that appropriate communication actions will be carried out within your organization to inform employees about the actions taken to deal with this crisis and to give them the means to act and project themselves in the future despite the difficulties of the moment.

You must therefore include your awareness messages in this context. They must not appear disconnected from the reality experienced by employees.

Thus, for example, the messages inviting to follow awareness-raising media must be particularly well worked out.

Similarly, the choice of awareness-raising materials used must also answer the questions that employees may ask themselves in this context.

Finally, the tone must be chosen with care. Indeed, in many standard awareness campaigns, we first try to dramatize the subject so that the learner understands its importance. It is possible that such an approach, in this already sufficiently anxiety-provoking context, is no longer the best and that a certain form of humor may, on the contrary, be better perceived.

Example of a short and humoristic video