Who says you can’t learn things from kids’ movies? Disney movies are full of great lessons about life and love and friendship. But did you know that some of our favorite Disney movies can teach you a thing or two about running a successful security awareness program?
Well, put on your thinking cap, pull up a chair and get ready to whistle while you work.
1. Infosec is a A TALE AS OLD AS TIME.
Nothing has really changed in the last twenty years of security. So don’t try to reinvent the wheel when preparing awareness materials. We all still need strong passwords, we all still need to avoid malware and scams, and we all have confidential data – both personal and professional – that we need to protect. Our technology may change often but the principles of information security have not. Focus on the basics to build a strong foundation with your user base.
2. Part of infosec’s job is to bring HONOR TO US ALL.
Why do any of us care about security? Because we don’t want to get breached. And why don’t we want to get breached? Because we’d lose money, private data, our clients’ trust and our hard-earned reputation. So part of the information security team’s job is to protect not just data but the organization’s reputation. Keeping this in mind – and reminding the users of this now and then – is important when creating and maintaining a security awareness program.
3. Have unexpected expectations or preconceived notions about how a security awareness program should be done? LET IT GO.
What works for one company might not work for yours. What costs a fraction of the cost for you might cost a lot more for another organization. What you think is a stupid idea might end up being the saving grace. What you expect to resonate with your employees might not connect with them at all. Throw away any preconceived notions or lofty expectations and start from scratch. Assess your company culture, don’t be afraid to try things and get rid of the things that don’t work.
Example: One organization we worked with went into a training program totally gung ho and enthusiastic only to be really disappointed when none of the materials packed a punch with their employees at a call center in India. It took them a long time to realize it was because of huge cultural differences in what was considered funny in the American offices vs. The Indian offices. Once they recognized this, changed up the humor in some of the materials for the Indian culture (which the American execs did not understand or like), the program was accepted and more employees participated.
4. It all comes down to singing a team WORK SONG.
Many IT teams are tasked not only with the security of an organization but the security awareness training of the employee base. We imagine they must feel like Cinderella. Which is why every team that’s responsible for creating and running the security awareness program must have excellent team work, just like the little mice who help Cinderella when she’s overwhelmed.
Small teams, especially, need to team up with other departments to get the job done. A truly effective awareness program can’t be done by one or two people. It requires scheduling & organization, regular communication with the users, someone monitoring training reports, someone planning and rolling out new materials, etc. Assign roles and delegate tasks and don’t try to do it all yourself.
5. A successful awareness program stays ONE JUMP AHEAD.
Many companies come to us after a breach or a phishing attack and say, “Quick! We’ve been hacked! We need to train our users!” While reactive training can be a very useful tool for correcting security UNaware behavior, a truly great security awareness program needs to be PROactive and teach their users before the problems happen.
Look at trends, what problems pose the biggest threat to your organization, and talk to the help desk about what issues arise the most (password resets, people falling for social engineering on the phone or phishing emails, people not taking badge policy seriously?) and use those things to guide to your program BEFORE any of the problems turn into massive issues.
6. Don’t half-ass the program. GO THE DISTANCE.
We’ve talked before about not trying to do all the things at once because that can lead to a quantity over quality situation. But you also need to put equal effort into all elements of a program, especially into the launch. We’ve seen so many organizations just slap together a quickie program to meet compliance guidelines… they buy awareness materials and never set up a schedule of how to use them and eventually they get lost in the shuffle and the program never really gets off its feet.
You must actually put in the effort if you want it to succeed. You must set a subject schedule, a content calendar if you will. You must get support from staffers and executives. You must have a plan and stick to it. If you are complacent, the program will not work.
7. Half of your awareness program will inevitably be about LES POISSONS, LES POISSONS.
Some stats suggest that 91% of APTs begin with phishing. And more than half of our clients say that phishing is their number one priority, followed by social engineering of all types (pretexting, tailgating, dumpster diving, smishing, vishing, etc.) so you’re going to definitely need to educate your users about phishing emails. It’s probably also a good idea to phish them on a regular basis using a service such as Phishline or PhishMe so you can track who is clicking and give them remediation lessons immediately.
8. Infosec & awareness don’t have to be boring if you use A SPOONFUL OF SUGAR.
Like we said earlier, none of this is new. We’ve been teaching the same lessons for years, so we’ve got to put on our creativity hats and figure out new and interesting ways to preach the same message. Don’t be afraid to get a little goofy, have a little fun. Humor is an effective learning tool. Put a smile on your user’s face and they will be more likely to remember the lesson than if you go at it with cut-and-dry policy language. Use fun graphics and videos, pull in some pop culture examples, use cats. Do whatever you need to get them to take their security awareness medicine, so to speak. (Take a look at us! We’re using Disney to get our point across. Can’t get much goofier than that.)
9. Teach your users to be successful and tell them YOU CAN FLY.
People care more about themselves than they do about the company they work for. Be honest with yourself and you know it’s true. So the way to reach any employee is not through their brains but through their hearts. Teach them to protect themselves and the people they love, and you will teach them to protect your company data. If you empower them to make smart security decisions and have more control over their own privacy and security, then you are giving them the tools they need to not only be a better cyber citizen but a more security aware employee.
10. A successful awareness campaign is just a CIRCLE OF LIFE.
Security is not a one-and-done kind of thing. In fact, there is no time in any of our lives when we can sit back, hands behind our heads and say, “Ahh, yes. I’m finally secure.” Security is a state of mind, a way of life, and the only way to get that message across is to continuously, regularly, frequently sing the praises of a security aware lifestyle – both at home and at work. When you find a strategy that works, don’t do it once. Do it again, and again, and again…. And again. Think of security as a circle, and circles never end.
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017