Case studies are most often used to market a brand. For us, they provide an opportunity to learn by example. No matter what stage your security awareness program is in, getting an inside look at what other companies are doing is a great way to learn and improve.

The following example comes from one of our clients who was kind enough to not only demonstrate their process, but also give us some pointers for managing a successful SAP.

Industry: Insurance

Company size: 5,000 – 10,000

Number of countries: 1

When did you implement your security awareness program?

We have had security awareness training and activities for a number of years. In late 2014 we brought all of those activities together by implementing a formal Security Awareness Program.

Can you describe your launch process? What did you do to bring attention to your efforts?

When we first started, our outreach efforts consisted of just a few security related articles every month. In order to draw attention to our security awareness program, we garnered the support of several executives to show the need for a more involved program. After we received this top level support, we were able to obtain funding to allow us to purchase content and tools to help us build our security awareness program.

What sorts of materials and content are you including in your program?

Our primary focus has been educating our personnel about email phishing related topics. Although phishing has been a key effort, we also are trying to utilize all of the SAC-provided content so that our audiences can learn about anything with a simple click of a button on our internal sites.

What topics are the most important for your users?

Phishing is a hot topic and a critical risk based on several high and low profile companies that have had data stolen by criminal hackers through phishing attacks. In order to proactively combat this risk, we have been heavily focused on educating our users on how to spot and report potential phishing emails.

Do you have a central learning portal of some sort?

Yes, we do. Currently we have an internal Learning Management System that hosts all of our training modules and games, as well as an internal SharePoint site that hosts additional content.

How much of your training is mandatory?

We have two mandatory security-related trainings for our company. The first is our Annual Security Awareness training, which is required for all employees and contingent workers. The second is our secure code training, which is required for all developers.

What have you done to encourage employee participation?

The backbone of our program is promoting a fun and interactive program. In order to encourage participation, we routinely host contests, which allow our employees to learn something new while winning prizes. Additionally, we focus on including all workers throughout the company. We make it a priority to include all employees (FTE, part-time, contingent workers) in our events in order to show the importance of being security aware regardless of company role.

How do you maintain momentum and keep people interested?

We are consistently finding new, creative ways to promote our security awareness program to the company. This includes the creation of new games, new swag or flyers that we hand out at our events, along with partnering with other divisions within the company.

Any final pieces of advice you can give to other SAP admins or companies launching a new SAP?

  1. Create an executive champion team that can assist with spreading the importance of your program. Be sure to utilize this team to promote your program and provide feedback. Convincing executives of the importance of security awareness will increase the adoption rate for employees buying into your program.
  2. Create well-defined goals for each year that are realistic and a few that are a stretch to complete. Be sure to create a roadmap in order to help you achieve these goals. Publicize these goals to your leadership and executive levels in order to get buy in.
  3. A security awareness program does not have to be expensive. Partner with well-established programs and departments within the company to host events and assist you in promoting your program. By partnering with other departments, you can keep your overhead low while reaching the maximum amount of employees and contractors.
  4. Focus your events or campaigns on single topics such as phishing, password security, Internet safety. Avoid overwhelming your audience with too many topics. Security awareness takes time, and is an on-going initiative that should never end. Focus your efforts on areas of greatest priority or importance to your company before moving onto smaller, less risky areas.
  5. Make your program fun! Your audience already has a job, so make your program a fun experience for them so they do not feel like it’s a burden or another job they are being forced to do.

There is a ton of great advice in this study that every program manager will benefit from. We especially love the idea of getting executives involved. Awareness training works best when everyone buys in, so getting support from the top ensures the success of your program.

To read more case studies like this one, and for more information on planning, launching, and managing a security awareness program, be sure to check out our resource center!

Justin Bonnema

Lead Writer at SAC
Justin left the music business to focus on his true passion: writing. A talented writer and detailed researcher, he’s involved in every department here at SAC to make sure all content is fresh and up-to-date. In his spare time, Justin writes about fantasy football for and practices mixology (he makes a mean margarita).