07 Dec Unequal Internet Is A Reason We Need Diversity in Cybersecurity
Written by: Stacey Wright (Cybercrime Support Network) and David Ruiz (Malwarebytes)
Over the last year, diversity awareness movements have gained strength across the globe and crept into the cybersecurity realm. Cybercrime Support Network recently partnered with Malwarebytes on their study to better understand how fundamental differences in our experiences and perspective also impact our cybersecurity. We invited Malwarebytes to a recent LinkedIn Live segment, where we explored the findings as an indicator of the need to add greater diversity, equity, and inclusion (DE&I) to the cybersecurity workforce.
The Internet is Unequal
According to the study commissioned by Malwarebytes, several factors influence the impact of cybercrime.
Income was a determining factor, as those with higher incomes and levels of education tended to feel safer and more private online.
Gender was also relevant, with 46% of women reporting having their social media accounts hacked, compared to 37% of men. And women also were more likely to be the victims of cyberstalking than men, according to separate data that Malwarebytes referenced from the US Department of Justice and the Cyber Civil Rights Initiative.
Race also mattered. When it comes to cybercrime incidents, while 59% of all respondents reported experiencing no financial impact, only 47% of Black, Indigenous, or People of Color (BIPOC) respondents were similarly impacted. Racial discrepancies in scams and frauds are not new; for almost two decades the Federal Trade Commission (FTC) has reported on and worked to target schemes that disproportionately target victims based on race and ethnicity. In some cases, these groups experienced more frequent attacks and were more likely to be stressed by the crime than other demographics.
Cybersecurity Should Include a Recognition of DE&I
If the internet is unequal, then it’s with no surprise that security measures cannot be a one-size-fits-all response and, instead, need to be fitted to the audience. Like so many other areas, this is about recognizing our audiences for their uniqueness and then using that knowledge to implement cybersecurity tools, training, and education that fit the needs of the users. Accomplishing this will be a challenge, but by being more inclusive of employees, we can make progress toward a culture of cybersecurity.
For instance, understanding that younger age groups may feel less private online indicates that it might be wise, especially if you have a younger workforce, to deploy an extra layer of privacy tools (e.g. VPNs, laptop privacy screens, etc.). Or, if the Communications department includes women or BIPOC staff, it might be wise to speak with them regarding what would make them feel more safe and less anxious as they interact with the online public.
Value of Diversity in Your Cybersecurity Plan
Diversity refers to anything that sets one individual apart from another, including the full spectrum of human demographic differences as well as the different ideas, backgrounds, and opinions people bring. Begin the diversity journey by understanding your internal and external customers. Who are they? Are they likely to have a different perspective of safety and security on the Internet? By learning and valuing their differences, cybersecurity practices can become more tailored to meet the needs of individuals.
It can be easy to forget that 20% of people may not understand what antivirus software does. In the Malwarebytes study, 21% of respondents were neither “familiar” nor “very familiar” with antivirus tools and only 67% used antivirus products themselves. Those trends are even worse for women, teenagers, and BIPOC individuals. If employees don’t understand antivirus, what are the chances they are using it on their home and BYO (bring your own) devices? Probably not high, which means education regarding antivirus software and its value may improve the security of your employees and, thereby, your data.
Taking this a step further, do your external clients understand the cybersecurity in place on your website? Would providing a link to a description, along with the cookies disclaimer, create a greater sense of trust?
Value of Equity in Your Cybersecurity Plan
Equity refers to fair treatment for all, while striving to identify and eliminate inequities and barriers. It’s important to remember that internet access is an expensive monthly bill and, in some places, not available. The same is true for computers and smartphones, and the software that goes on them. If these are tools that your employees need to do their jobs, whether they work from home, the office, or the road, it’s important to understand the realities of their personal lives. The Digitunity website is a great starting point to understand how the technology gap in non-deviced and under-deviced households may be affecting employees and your external clients.
Equity in cybersecurity goes further than just the technology gap as there is also a learning gap. Cybersecurity training frequently starts with an assumed baseline — a baseline that might rest on faulty assumptions. For instance, in a business where most employees do not work on computers, is it fair to assume that they will absorb a standardized phishing email training in the same way as someone who spends all day on email? Instead of standardizing your approach, consider a more dynamic possibility where you adapt to such differences.
Value of Inclusivity in Your Cybersecurity Plan
Inclusion implies a cultural and environmental feeling of belonging and sense of uniqueness. It represents the extent to which employees feel valued, respected, encouraged to fully participate, and able to be their authentic selves. One key component of inclusivity in cybersecurity is ensuring employees are comfortable approaching the cybersecurity staff to report incidents and make recommendations. On the surface, this probably seems like an easy task, but cybersecurity mistakes can trigger human resource actions, which may discourage employees from future reporting.
A few years ago, a series of emails used compromised credentials to target people with an extortion scam. The emails were sent to work email addresses and included the users’ password. Users who saw their current passwords often believed the emails and fell prey to the extortion attempt because they were afraid cybersecurity staff would start an investigation if they saw their current password was compromised. As it turned out, this was a scam relying on leaked credentials, but it clearly shows the need to build trust between security staff and employees.
To start with, be inclusive of users from different departments, groups, and backgrounds to provide feedback and ideas or share problems. Something as simple as working with users to add inclusivity to your cybersecurity approach can resonate broadly and go a long way toward ensuring employees feel valued and respected by the security team. Having those audiences in the room while making design decisions means understanding different goals for the project, which makes it more user friendly and more likely to succeed in the long run.
Now Is the Time to Move to a DE&I Cybersecurity Model
Understanding that like so much else in our lives, what works for one person is not necessarily ideal for another impacts how we serve our cybersecurity clients and colleagues. Now is the time to incorporate these findings into a cybersecurity program. By connecting with coworkers and including different perspectives into cybersecurity tool deployment and education, you’ll be providing others with support that will enable them to more successfully contribute to the organization’s mission and purpose. In the end, including different perspectives makes us all more cybersafe.