We’ve been in this business for a LONG time. A LONG time. Like twenty years long. So that means we’ve seen a wide range of security awareness programs – from the lame and boring to the totally rockin’ campaigns that manage to change their users’ behavior. We’ve seen companies with tiny budgets fare way better than giant corporations with massive budgets. We’ve seen companies of all size spend a lot of money and have no success. But we’ve also seen a lot of AWESOME awareness programs come out of organizations of all shapes and sizes. And now the production team – the team that creates all of the content for all of our materials – is going to share some of the secrets they’ve learned from watching our clients’ most successful awareness programs.
1. Put together a team that cares. You can spend all the money in the world on training materials and an LMS, but if you don’t have an in-house team who is passionate about educating users and changing the mindset within the workplace, then those training materials won’t be worth anything. Whether you have one person or a whole department dedicated to running the program, they’ve got to care. They’ve got to want to change users’ behavior. They’ve got to want to make your organization more secure. They’ve got to believe what the program is preaching, and believe that it is important. Their passion will come through the entire program leading to a better chance of success.
2. Color outside the lines. Don’t be afraid to take a chance on a different or unique approach to training. There is not a “one size fits all” training method. Every organization has different needs and different areas to focus on. Some companies have a major problem with users clicking on phishing links. Others have a problem with people not changing passwords. Some companies can’t afford an LMS. Others don’t have a budget for printing materials. Just because Company A has the money to develop their own LMS and buy a dozen training courses, maybe you’re small business only needed a monthly newsletter and reinforcement video. Maybe your employees learn better through gaming. Maybe they do better with group activities. Figure out what works best for your work culture, and get creative. Have fun with it. The programs with some built in flexibility and creativity work better than ones based on rigidity and a compliance check list.
3. Metrics, consequences and rewards. You’ve got to track your users. Where they start, where they end up. You’ve got to reward your users for doing what they should and shake your finger at them when they’ve done something against policy. An LMS makes tracking a lot easier since you can see which users have completed training and which haven’t, but an LMS is not necessary. In smaller organizations, you can have employees respond to email quizzes. You can host courses and quizzes on an internal server and have results be sent to the person in charge of the program. You could do surprise phishing tests on your employees. Explore the many metrics options out there! And then DO something with the metrics. Reward the users who complete the training, and who do well on their tests. Let them know that there are negative consequences for NOT doing so. Call out the people who do well. Institute a Security Awareness Employee of the Month award. Give out candy to everyone who finishes the training on time. Have a pizza party for the department that does the best on their awareness tests. Get creative. How would YOU want to be rewarded?
4. Make it personal. Do your employees actually care about the well-being, success and security of your organization? Maybe, maybe not. But what they DO care about is the well-being, success and security of their families, their friends, and themselves. Teach them how to secure their home networks and how to protect their personal data and then turn it around and say “Oh, by the way, all that stuff you do at home? You should do it here at work too!” By making the security awareness program personal, you’ll change more minds and alter more behavior than if you make it just about corporate policy. Tug at their heartstrings a little. Make them think about Mom and Dad and their kids. Get them thinking about their own privacy. Then bring in workplace security. You don’t let strangers into your home without finding out who they are, the same way you shouldn’t let strangers into the corporate office without checking their identification. You want to back up all of those vacation photos and wedding videos, the same way you want to back up client sensitive data and company financial records.
5. Treat it like advertising. The thing about security awareness is that it’s not the destination. It’s the gas going in the car, it’s the bathroom breaks and food stops, it’s checking the map to make sure you’re still on track – it’s everything you’ve got to do to make the trip safely and get to your destination in one piece. Security awareness is a full time mindset and it doesn’t happen over night. You’ve got to repeat your message over and over again, just like advertisers, sinking that message into our brains until it’s engrained in us. If you treat your awareness program more like an awareness campaign – with a logo, a tagline, a specific branding look-and-feel – and come at it from a marketing perspective – regular posters, videos, games, anything to get the users engaged! – then it will be way more successful than if you just approach it from a pure policy or compliance stand point.
Does YOUR organization have an awesome security awareness program? What tactics have YOU found to be the most successful? Share your tips, advice and success stories with us on our Facebook page or Twitter!