How To Create A Security Awareness Programme Your Users Won't Hate
1 September 2017 00:00
With more and more businesses taking security awareness seriously nowadays, yet the number of successful breaches growing rapidly compared to previous years, you'd be forgiven for asking the question... "Does security awareness training even work?".
The simple fact is, when done right, security awareness can make a big difference. Maybe that sounds like a pretty biased statement to make, but many organisations still implement a poorly executed security program. Some of the main aspects of what should be involved, just aren't being put into practice when educating users.
Like any other type of education, the delivery style is just as important as the content and topics. Deliver it well, and retention is much more likely. Deliver it poorly, and security training becomes just another dreaded date in the calendar.
So, what is the right way of conducting security awareness? Well, that's the million dollar question. But here are some of the main pointers you can take towards making your program much more worthwhile, and much less dreaded...
More Advocates Equals A Bigger Buy-In
Maybe this is easier said than done, but gaining support from the upper tier of the organisation can really help raise the level of buy-in from employees. Having senior management get behind the idea and be vocal with their support help end users understand just how much of a company-wide concern this really is.
Setting key objectives for your initiative and including senior members of various departments is key. Make sure to bring marketing and communications into the mix, who can craft clear messages for your stakeholders.
Keep A Narrow Focus
There’s an endless list of security topics you could throw at your users -- much how much of that information would actually stick? After all, we can only retain so much, and for the less technical users, it would take a lot more effort to remember all of the tech jargon that an IT professional is used to hearing.
Instead, identify some of the main threats and themes facing your company to ensure the greatest reduction of risk. Phishing, social engineering, remote working, social media and password management are without a doubt some of the most common threats worth digging in to.
Make It Relevant
If you’re already in the midst of a security awareness program, it’s almost a guarantee that you’ll hear end users express some bemusement of their role in cyber security, stating “why would a hacker ever target me?”. Well, now’s the chance to show them just how big of a target they really are.
As most of the security topics are directly related to their day-to-day habits, such as social media, password management and working from home, then applying these risks to their personal life can help them tune in a little more.
There’s been a common criticism that’s loomed over security awareness programs for quite some time -- and that’s the inability to quantify just how successful they’ve been. A lack of metrics and reporting has often deterred businesses from going anywhere near them.
But that’s exactly where phishing attacks become a godsend. Simulating an attack on your user base can give you the insight you need, and can make it clear just how effective your security awareness program has been. Keep in mind that caution is needed with this approach and that a name and shame style of punishment can cause frustration from users. Instead, provide further education on the main weaknesses that you’ve found.
Incentivise The Top Dogs
Incentives help encourage behaviour changes, and some companies have turned to using gamification to make security awareness education more compelling. For example, you may award points and prizes to employees who flag a phishing email, while developers may compete over who can locate the most security vulnerabilities.
On the flip side, employees who regularly engage in unsafe computing behaviour need to hear about it too.
Don't Cram - Reinforce!
The majority of security experts now agree that the old, once-per-year tick box approach to cyber security is pretty poor. Cramming information into these sessions makes for a boring, forgetful and unproductive day.
Instead, reinforce information consistently throughout the year. Keep employees up-to-date on the main topics, while testing their knowledge to look for improvements and weaknesses. A lot of organisations also find use from blog, posters and newsletters, in order to offer lighter ways of learning.