1Password’s community donations highlight digital safety skills

At a glance

What this is: This is a 1Password community-focused post about funding and volunteering for youth digital literacy, online safety, and STEM education.

Why it matters: It matters to IAM practitioners because security awareness, identity hygiene, and safe online behaviour are shaped long before people enter the workforce or manage enterprise credentials.

By the numbers:

• Digital Moment reached over 4,000 Canadian youth and educators with essential digital safety training in the last year.

👉 Read 1Password’s community impact update on digital literacy and online safety

Context

Digital literacy and online safety are not side topics in identity security. They shape how people recognise risk, handle accounts, and respond to social engineering before those behaviours become enterprise incidents. This post is a community impact update from 1Password, but the underlying issue is broader: security programmes rely on human behaviour that starts being formed well before formal IAM controls are introduced.

For IAM, IGA, and security leaders, the practical question is not whether community investment replaces technical controls. It does not. The question is whether organisations understand that safe identity behaviour depends on education, confidence, and basic online judgment as much as it depends on authentication policy and access governance.

Key questions

Q: How do digital literacy programmes affect identity security?

A: They reduce the likelihood that users will hand over credentials, approve suspicious prompts, or mishandle account recovery. That lowers the burden on IAM controls because fewer incidents start with avoidable human error. The biggest gains usually appear in phishing resistance, safer password behaviour, and better reporting of suspicious activity.

Q: Why should IAM teams care about online safety education?

A: IAM controls assume people can make safe choices when they are asked to reset credentials, approve access, or follow login prompts. Online safety education improves those choices and reduces support-driven exposure. It also helps users spot manipulation early, which is often the difference between a blocked attempt and an account compromise.

Q: What should security teams measure after awareness training?

A: Measure behaviour, not attendance. Look for changes in phishing report quality, reduction in unsafe account-recovery events, faster escalation of suspicious prompts, and fewer users repeating the same mistakes. If those signals do not move, the training has not translated into identity risk reduction.

Q: How can organisations connect community education to IAM outcomes?

A: They can support programmes that teach safe online behaviour, then use the same lessons internally in security awareness and policy design. The point is to build a broader culture of verification and caution that makes enterprise identity controls easier to operate effectively.

Technical breakdown

Why digital literacy affects identity security outcomes

Digital literacy is the baseline ability to recognise unsafe links, suspicious requests, and poor account-handling habits. In identity terms, it influences whether users create weak recovery patterns, reuse credentials, or fall for phishing that exposes enterprise access. Security programmes often treat awareness as a communications layer, but it is really a control-adjacent input to authentication resilience, account recovery safety, and safe use of shared systems. When digital safety skills are weak, downstream IAM controls absorb more user error and more social-engineering pressure.

Practical implication: treat digital literacy as a risk-reduction input to identity programmes, not a separate CSR topic.

How online safety education supports secure account behaviour

Online safety education helps people understand how accounts are taken over, how trust is abused, and why suspicious prompts should be challenged. That matters because identity systems depend on users making sound decisions in moments where technology alone cannot intervene, especially around password resets, verification messages, and delegated access. In practice, better education reduces the chance that identity controls are bypassed through manipulation rather than technical compromise. It also improves the quality of security reporting when users know what abnormal activity looks like.

Practical implication: align awareness content to account recovery, phishing resistance, and reporting behaviour, not generic cyber slogans.

NHI Mgmt Group analysis

Community digital safety is upstream identity security. This post is not about enterprise IAM mechanics, but it does show that security behaviour begins long before a user enters a corporate directory. If people are not taught to recognise unsafe requests, suspicious links, and poor account habits early, the IAM programme inherits avoidable risk later. Practitioner conclusion: security teams should treat digital literacy as a foundational trust input, not an afterthought.

Identity resilience depends on human judgement as well as technical policy. Password resets, phishing resistance, and account recovery all fail more often when users do not understand the consequences of unsafe online behaviour. That makes education a practical part of the control environment, even when it sits outside the IAM toolchain. Practitioner conclusion: the strongest identity programmes pair policy with user capability-building.

Public-good investment can reduce future IAM support burden. Supporting organisations that teach online safety, STEM, and digital skills helps build a population that is less likely to normalise insecure account behaviour. That does not replace enterprise controls, but it can lower the volume of predictable user-driven incidents over time. Practitioner conclusion: security leaders should recognise awareness investment as part of ecosystem risk management.

Cybersecurity Awareness Month works best when it changes behaviour, not messaging. Donations and volunteering are only useful to identity teams if they reinforce practical habits around verification, safe access, and reporting. The value is in reducing unsafe defaults before they reach the enterprise environment. Practitioner conclusion: align awareness programmes with measurable behaviour change, not campaign visibility.

Digital literacy is a prerequisite for broader identity governance maturity. IAM, IGA, and PAM all assume that users can follow guidance, recognise abnormal prompts, and act on security instructions. When that capability is weak, governance becomes harder to sustain at scale. Practitioner conclusion: identity leaders should connect workforce education to the reliability of downstream access controls.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, which shows how often lifecycle governance lags behind operational reality.
• For a broader view of unmanaged identity exposure, see The 52 NHI breaches Report for case patterns that link weak governance to real-world compromise.

What this signals

Digital literacy is a governance input, not just an awareness topic. As identity programmes mature, teams should expect more scrutiny of the human behaviours that feed recovery, consent, and access workflows. The practical shift is toward training that reduces friction at the point of decision, not campaigns that simply repeat policy language.

The broader signal is that security culture cannot be limited to employees. Community education, parent guidance, and youth programmes all shape the long tail of identity behaviour that IAM teams eventually inherit. That makes ecosystem investment a legitimate part of resilience planning.

Account recovery risk remains one of the clearest tests of user capability. Organisations that want stronger identity outcomes should watch whether users understand verification steps before they are forced into support escalation. Better first-time behaviour here usually correlates with fewer avoidable access incidents later.

For practitioners

• Map awareness content to identity failure modes Build training around phishing, account recovery, suspicious consent prompts, and unsafe sharing rather than generic cyber hygiene messaging. Tie each topic to the identity events your programme actually sees in support tickets and incident reviews.
• Use school and community programmes to shape future user behaviour Support digital literacy initiatives that teach safe online behaviour before users become employees, contractors, or administrators. Earlier habits influence how people handle credentials, prompts, and access decisions later in life.
• Measure whether awareness changes reporting quality Track whether users submit better-quality phishing reports, recognise suspicious verification flows, and escalate account anomalies faster after education campaigns. Behavioural improvement is more meaningful than attendance counts.
• Align identity policy with user capability Review whether your account recovery, MFA enrolment, and access request flows assume a level of user understanding that your audience does not yet have. Where they do, simplify the path and add guidance at the point of decision.

Key takeaways

• This post is about community investment, but the security lesson is that identity risk starts with user behaviour long before enterprise controls are involved.
• Digital literacy, online safety, and account-handling habits directly affect how well IAM and access governance hold up under real-world pressure.
• Security leaders should connect awareness, policy design, and user capability if they want fewer avoidable identity incidents.

Key terms

• Digital Literacy: The ability to use online systems safely, critically, and confidently. In identity programmes, digital literacy affects whether users recognise suspicious requests, protect credentials, and understand the consequences of sharing access. It is a people-side prerequisite for reliable IAM outcomes, not a replacement for technical control.
• Account Recovery: The process used to restore access when a user cannot authenticate normally. It is a high-risk identity moment because attackers often target it with social engineering, weak verification, or compromised contact methods. Good recovery design lowers support burden while reducing the chance of account takeover.
• Security Awareness: A programme that teaches people how to recognise and respond to common security risks. In identity security, awareness is only useful when it changes behaviour around authentication, verification, reporting, and safe handling of access requests. Message repetition alone does not create measurable risk reduction.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or maturing an IAM programme, it is worth exploring.

This post draws on content published by 1Password: community donations and online safety education during Cybersecurity Awareness Month. Read the original.