So you’ve been tasked with building a security awareness program? It’s a tough job. You’ve got to figure out how to tell people about the program, teach them the security lessons that are most important to your organization, and stay within a tiny budget.
What’s even tougher is figuring out which lessons to teach, which messages to focus on, and what kinds of materials work best for your company. Do you need to use an LMS to track user data? Will your users prefer watching one short video every month, or one long video every quarter? Should you offer incentives for the employees who finish the training?
Every organization is different, and we can’t tell you how to run your security awareness program. But what we can do is offer you some free resources, tips and helpful hints to make the process a lot easier.
Find InspirationThe internet is full of awesome stuff but sometimes the sheer amount of information can be overwhelming. Follow some infosec people and companies on Twitter and Pinterest to find useful infographics, posters, quotes, and blog posts you can send to your users or use as inspiration for making your own materials!
Avoid Death by PowerpointDon’t waste your time creating long presos that will bore your audience. You want them paying attention, not playing Candy Crush while you drone on about security policies. If you HAVE to use a powerpoint presentation, use funny photos and avoid a lot of text on the screen. Use videos on YouTube to get your point across. Entertain your users into actually learning something!
Brand Your ProgramA recognizable brand & theme helps users identify anything you present & drives the message home. Mascots and character development assist in teaching awareness.
Keep It SimpleMost users don’t need to become experts or even need much technical know-how in order to be security aware, so don’t try to overload them with technical jargon, complex diagrams or intimidating cyberspeak. Keep things simple by teaching the basics in easy-to-understand language. Not everyone understands what ‘social engineering’ is but everyone understands what a con artist is. So teach about the dangers of social engineers by making real world comparisons to con artists and scammers to drive the point home.
Make It PersonalIn order to change behavior, you’ve got to change their mindsets. And the only way to change the way they think is to get them to CARE. If you get them to care about protecting their family and teach them how they can be safer online at home, then it’s easy to slide in that company reminder. “Oh, by the way, all that stuff we taught you about protecting your family? Do it here at work, too!”
Establish Who’s BossToo many cooks will ruin your program. Find out who has to be involved in the decision process, then streamline as much as you can. One person should be the single point of responsibility for the entire program.
Don’t Do It All At OnceStart slow. Build momentum. Don’t start with everything all at once. Unless you have a huge dedicated staff, you’re not going to have the time, manpower or mental bandwidth to handle all of the things all at once. This means instead of doing a really awesome job and rolling out an eye-catching, engaging and effective awareness program, you’re going to end up with something poorly developed and haphazard. It’s not going to be successful and you’ll be frustrated. So don’t try rolling out a program that includes training modules, and videos, and posters, and newsletters, and interactive games, and a gamified LMS all in the same month or quarter — and certainly don’t just dump all of your awareness materials on an intranet and hope people will click on them.
Use a Spoonful of SugarHumor is an effective learning tool. Put a smile on your user’s face & they will be more likely to remember the lesson than if you go at it with cut-and-dry policy language. Use graphics & videos, use some pop culture examples, use cats. Do whatever you need to make them take their security awareness medicine, so to speak
Remind Users FrequentlyWe live in an ADHD world. No one has the attention span to read a policy book front to back (did you?). But people are used to watching short, 3-minute-or-less YouTube clips, and reading quick 1-page-or-less blurbs in magazines. Every month, pick a topic (phishing, social engineering, passwords, backup) and create short newsletters and/or videos on that topic, distributing them at the same time, every month. The regular (but not annoyingly frequent) reminder will bring security to the forefront of everyone’s minds.
Rinse & RepeatSecurity Awareness is like advertising. In order for the message to stick and for the user to take action, it’s got to be in front of them multiple times during a year. Once a year training is not enough. Quarterly training is okay but monthly and/or weekly reinforcement is even better. Treat your SA program like a marketing campaign using monthly newsletters, screensavers, posters, weekly email tips, videos, quizzing and learning games to engage and educate your user population. The more they see the message, the longer it will stay in the forefront of their minds and the better their behavior will be.
Latest posts by Meg Krafft (see all)
- NCSAM Today’s Predictions For Tomorrow’s Internet Infographic - October 17, 2017
- NCSAM Simple Steps to Online Safety Infographic - October 1, 2017
- Top Tips to Creating Your Own Information Security Policy Training Program - September 28, 2017