The head of the Canadian Centre for Cyber Security says a goal can’t be set for when Canadians will be fully cyber-secure, but that education needs to be consistent, not be fear-based, and it needs to use simple language.
“I don’t really have a timeline, I don’t think that it’s going to be every Canadian will be cyber trained by 2035,” Scott Jones said in an interview.
“With education, you have to want to learn it. And until there’s some reason to pick it up, it’s always going to be ‘let’s make sure the information is there and hopefully getting out to people when they need it.’ So they can consume it when it matters to them.”
Jones said that the education process is mostly through campaigns that are spread to the public when an attack happens or when the centre learns that a particular type of attack is trending. More recently, the centre has been working on educating Canadians around COVID-19 scams.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson’s Cybersecure Catalyst, agreed with Jones that a timeline shouldn’t be placed to get everyone cyber trained, but that it should be required as part of a school curriculum.
“I believe a timeline is important, I think it will help us work towards something. I think what is important is we do not need to make a timeline for getting everybody cyber secure, but we need to make a timeline towards taking those steps that will get people started towards securing themselves,” he said.
“That is where education comes in. We can’t say, let’s get all Canadians cyber secure in the next five years, but we can say in five years we’re going to implement a national program for security-based education as a part of every school curriculum.”
Despite not having a timeline, Jones added that the centre has consistently been releasing material for Canadians to learn from and work in collaboration with industry leaders to bring products to Canadians that will help them become more secure.
“We work with technology vendors, years before their product comes out,” said Jones. “We work to try and raise the bar so we try to have security build in by default,” adding that ahead of cybersecurity awareness month the centre revamped its website to help Canadians.
Less fear, more practical campaigns with simple language more effective
Jones noted that things have changed in the past five years on how the centre is educating Canadians, and that includes fewer fear tactics and more practical-based education.
“One of the biggest [changes] is in a lot of countries fear-based education works. So be scared of this and take action. It doesn’t work in Canada,” he said.
“Canadians for the most part, we’ve seen, is they don’t respond well to fear-based campaigns. But practical things they can do get much more pick up.”
Jones added that in the past it wasn’t “meant to be fear-based,” but that education was always tied to doing something, otherwise an attacker will target you.
He also added that education now uses fewer technical terms and language that is understood by all Canadians.
“In the past, basically at all levels it was very technical. It was hard to follow. And now I think we’re talking to people in the language they understand,” Jones said. “I think it’s really a change away from fear.”
Jones noted that now material uses language like “update your phone,” instead of using technical terms like “apply patches on your cell phone.”
He added that the centre’s new campaigns are created using easy graphics and working with local organizations or law enforcement. The main messaging that the centre tries to enforce is to practice good password etiquette, using strong passwords, using multi-factor authentication, and securing social media and email accounts, Jones added.
Bhatia said that in some ways in the past educators spoke about the fear of cybersecurity and didn’t talk about it as a practice.
“Fear always creates a reaction, whereas education is about being proactive,” he said.
Bhatia added that more needs to be done at a greater scale, noting the success coming out of the anti-smoking or wash your hands campaign. Bhatia added these campaigns were distributed at a much larger scale, drawing more attention.
“So while we are going to see campaigns happen in cybersecurity and some of these campaigns are important, are they really being handled in the same way so that there is consistency? Is there a volume of messaging and a collaborative approach that’s being demonstrated? I don’t think so. I don’t think we’ve hit that point yet,” he said.