It is one of the most successful health campaigns in Australian history. A simple message, spoken by a seagull named Sid:
“Slip on a shirt, slop on sunscreen and slap on a hat: Slip, slop, slap!”
Launched in 1980 by the Cancer Council Victoria, the campaign’s straightforward slogan has become part of Australian culture, remembered and readily recited by everyone from nine to ninety-nine.
It has also been hugely effective in its ultimate aim. Melanoma rates for those aged under 40 are declining, “basically the cohort that has been exposed … to the SunSmart message” the campaign’s backers have said. Mostly unchanged (although seek shade and slide on sunglasses are included in the more recent version) the simple campaign has gone a long way to curb Australia’s ‘national cancer’.
There are now calls for a similar approach to be taken to be applied to cyber security. Last week, at the SINET conference in Sydney, a number of prominent CISOs made the case for a wide reaching campaign, aimed at individual citizens.
“Something like the Slip, slop, slap programme,” suggested ANZ bank CISO Lynwen Connick. “Something that everyone remembers and understands. The Slip, Slop, Slap of Cyber.”
But can cyber hygiene advice be whittled down to a one-line slogan? And will people listen?
National behaviour change
The cost of cybercrime to the Australian economy is estimated to be $3 billion and rising.
Most individuals, however, don’t give cyber security a second thought. But it is individuals who get phished, click on links, reply ‘who is this?', pick up USBs in car parks, and wire money ASAP. Some of them work at SMEs and big corporates.
“We can’t do it all for them. We can’t do everything on everyone's home computer. But we can do an awful lot to help with that education process,” Connick said.
One of the goals set out in the government’s $230 million Cyber Security Strategy launched in August 2016 was for all Australians to “have the cyber security skills and knowledge to thrive in the digital age”.
It notes the “comparatively low awareness” of cyber security risks in the general population, and calls for “national behavior change”, so people protect themselves.
A year on and there has been some progress (the Attorney-General’s Department, which is responsible for the awareness part of the strategy says progress has been ‘strong). There’s been a 27 page pdf pamphlet for instance, and an ‘online website’ to be launched soon – but no punchy catchline or memorable campaign.
Cyber hygiene advice is out there. But you have to look for it, and understand it. You don’t need to know anything about cancer, the sun, melanoma, photons, skin or SPF ratings to remember: slip, slop, slap.
Why should I care?
The Stay Smart Online ‘My Guide’ (there is a similar guide for small business) whittles cyber hygiene down to a checklist of eight actions. Some of those eight actions are actually groupings of multiple actions.
They tell individuals what to do: ‘Always log out of the internet banking menu and closing (sic) your browser when you have completed a session’ is part four of six within ‘action’ number five. They don’t say why people should take those steps.
“We need to answer the question: ‘why is this relevant to me?’ We’re not talking about sorcery, we’re talking about very practical things that people can do whether you’re a small business or a larger enterprise or at home with your children – the same sorts of things work. The same sorts of behaviours work,” said Toby Dagg, manager at the Office of the eSafety Commissioner, to the SINET audience last week.
“There’s not really all that much difference in training people in Telstra to resist social engineering, then there is training anyone with families and children to recognise when those sorts of overtures are being made so they can recognise the risk and take steps to deal with it,” he added.
Even the simplified, aimed-at-the-layman My Guide, includes words and phrases like ‘firewall’, ‘two-factor authentication’, ‘session’ and ‘plugins’.
“One of the most important things is about making this real for people. How can we explain this in language that people understand? We often don’t talk in English, those of us who have grown up as technologists and grown up in this business find it difficult to explain what the risks are,” added Connick, who in her previous role delivered the government’s cyber strategy as first assistant secretary, sharing and intelligence at the Department of the Prime Minister and Cabinet.
“We’re trying to get a lot better at that: how we communicate at the board level, how we communicate with senior customers and how we communicate with people out there at all levels so they understand the risks they’re taking if they don’t implement some of those cyber hygiene practices,” she said.
A 2001 evaluation of the slip, slop, slap campaign noted a key part of its success had been “a strong basis of consistency and continuity”.
A similar singularity is needed for its cyber equivalent, said Chris Mohan, general manager, threat research, intelligence and security, at Telstra.
“It has to be a cohesive message. If we have the same message but said in different ways – we’re going to confuse the population. It’s about coherent education that’s simple, direct and clear. Take out the geek words," he said last week.
“Slip, slop, slap, when I came to Australia that was the first thing I heard. It’s really, really simple, really clear, really straightforward. I know what to do,” he added.
A number of large corporations are already running cyber security programmes for the general population. ANZ has learning material on its website (whittling safe banking advice down to seven tips) as do many major Australian corporations. Many others support various schemes and programs for the public. Telstra publishes numerous tip sheets and guides.
But the information is only seen if it’s sought.
The slip, slop, slap campaign by comparison was on television in some form for almost three decades. Representatives visited schools, community groups, sports clubs, workplaces and beaches with a simple message and millions of dollars in funding. Perhaps a more proactive approach is needed.
“We need advertising on television,” Connick added. “We need a way of getting out to more of a range of people. By doing that together we’ll be much more effective and they’ll be much more value to that investment.”
Do you have a suggestion for a one-line cyber hygiene slogan? Would a national campaign be effective?
Tell us your thoughts in the comment section below or on our social media channels.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.