We proudly exclaim from the mountaintop here at SAC that in order for security awareness employee training to be truly successful, it should be treated like a marketing campaign. This might be considered a visionary approach, but we believe it’s based in common sense and modernity.
Before we dive into the question at hand, let’s first review the basics of what goes into a good marketing campaign:
- Create a variety of training moments at frequent intervals.
- Repeatedly restate the same key awareness messages in new ways.
- Make the messages relevant to the users’ everyday life and use real examples.
- Draw on modern trends to grab attention and to make learning fun.
Okay, but where does email fit in?
A well-crafted yet simple to use email campaign hits on every one of those four tenets of marketing. It gives you an opportunity to introduce a variety of training moments in a natural way, and if sent regularly operates as its own method of restating key awareness messages in new ways each time. As you’ll see below, they’re also the perfect way to communicate relevant, real life examples that are instantly applicable to each user’s daily life.
In addition, 72% of people say they prefer receiving communication via email as opposed to other forms of marketing. You may be inclined to think that the younger generation that is beginning to enter the workforce will alter this number or that it’s slowly decreasing as new forms of media come across our screens, but it’s been found that this is not the case. In the skeptical age of spam and phishing, email still reigns supreme.
People look at their emails when they’re bored, when they’re procrastinating, or first thing in the morning with a cup of coffee when their mailbox is nice and full. These are all possibilities for an informal and experiential teachable moment, which has been proven to be the two key methods of learning in order to make a message or lesson stick in someone’s brain.
Then how do I do this whole email thing right?
According to Adestra if emails don’t look good, have poor grammar, or ramble on forever without saying something that is personally applicable or interesting, the email will almost definitely be deleted or ignored. While work emails can obviously be a bit different, there’s still something that can be said about the attitude someone would have opening a boring block of plain text telling them they have to do such-and-such over and over again. They’ll start to hate seeing your or your team’s name pop up in their inbox! If this is the stale approach you’ve chosen to take, do you really think you’ll make any gains on changing mindsets about good security practices? However, if you view email as an opportunity to grab attention and establish your program’s brand in users’ minds as trustworthy and interesting, the game changes.
All emails coming from you (or your team) should be instantly trusted and cause the user to know ahead of time what to expect. Brand recognition is crucial to any successful marketing campaign. Just think of how often you’ve seen the logo or specific styling of major brands; not only does this make the brand’s message come to the forefront every time you come across their icon, it also reinforces this message and helps it stick.
For this reason, we strongly suggest creating a set of templates with a few basic formatting rules that can easily be utilized on the fly. Keep in mind that your main goal is to create a variety of training moments for your users so that nothing becomes stale, boring, or predictable. You also want to make security awareness – something many people believe is a lofty concept better left to the IT crew – as relevant as possible to everyday life and easily understandable.
Here are 4 basic categories of emails that you could send:
“Announcement” emails can serve a wide variety of purposes for your organization’s security awareness program. This can be the way that you choose to distribute new content to employees and will have the added benefit of coming to them in a consistent, recognizable manner. It’s also a way to keep everyone updated and in-the-loop on program successes, a way to easily show them from time to time that all the training has been worth it in a practical, real way. One of our favorite ways to use these types of communication is to incentivize or gamify the very learning process itself; announce Human Firewall All-Stars or start a scoring system with a leaderboard!
2. In the News
As we’ve said before, developing a culture of security awareness within your company relies heavily on making the key security practices personally relatable and realistic. One good way to do this is to share breaking cybersecurity news (data breaches, malware discoveries, app vulnerabilities) in order to bring abstract topics taught in other content into modern day, real-time situations. Use an “In the News” template to distribute these anecdotes in a familiar way; it could help make the difference between a Weak Link and a Human Firewall!
3. For Your Information (Security)
“FYI” emails can serve a wide variety of purposes for your organization’s security awareness program. They can be a good, informal way to notify employees of policy changes or updated security measures, or to simply give a few quick tips for being security aware (especially if related to a recent event, in-house or in the world). You can also use them to let users know when attacks have been successfully warded off and what steps were taken to do so (e.g., unsuccessful spear phishing campaign caught by a fellow employee before damage was done due to diligent user reporting and incident response).
4. Security Alert
In the world of information security, response time to threats is one of the major key elements of a successful defense against criminal attacks. Often, important details need to be shared with users as quickly as possible and in a way that will grab their attention; this is where the “Security Alert” email comes into play. Use these emails to inform employees of necessary patches, the latest malware’s modus operandi and thus what to look out for, or an internal spear phishing scam making its rounds.
Your goal as the leader of your program shouldn’t merely be to achieve a benchmark ROI for the execs, but to establish a process that fundamentally alters the behavior of your users to a higher standard so that company assets and employees are overall better protected. You just can’t expect to do this without persistently putting the things that will help change users’ mindset in front of their faces, and it has to be done through multiple channels.
This is essentially marketing in a nutshell, and following this line of thought, one of the easiest ways to reinforce your campaign can be by taking a few minutes to regularly send your users a variety of emails!
Latest posts by Kayley Melton (see all)
- Does Sexism Still Exist in the Tech World? - March 10, 2017
- What is Data Classification? Why is it Important? - November 16, 2016
- I’m not a doctor; I don’t need to pay attention to HIPAA. Right? - November 10, 2016