Security breaches can often be attributed to some type of human error. This piece offers tips for building an effective and engaging awareness program that helps mitigate employee mistakes and keep the organization secure.
Security Awareness Program Basics
Security awareness programs help drive the right behaviors, increase employee knowledge about security issues and ensure regulatory compliance. Awareness is not a technology issue, but a business issue. Consequently, it is considered a best practice to make sure you also have agreement and buy-in from corporate communications, human resources (HR) and senior management. Setting this tone from the top ensures you have the right level of support to run an effective program.
Building a Security Awareness Program
Organizations should view security awareness as an ongoing program, not an annual training exercise. To be effective over time, organizations should consider ensuring security awareness content is both fresh and engaging. Specifically, you should consider:
- Using quality content. Use training created by security experts that is fun, engaging and relevant. Deliver material in your employees’ native language whenever possible.
- Tailoring awareness campaigns to specific roles. Employees must be able to relate to the awareness content for them to find it meaningful. Consider creating tailored awareness material for systems administrators, developers, C-level executives and business users.
- Using a variety of formats but repeating common themes. Awareness does not have to be an annual computer-based training (CBT) course. Use a variety of formats, including in-person training, webcasts, surveys, posters and newsletters. Security awareness must be somewhat repetitive to ensure the message is received, understood and processed. Using a variety of mediums to deliver the message can help disguise the fact you are repeating themes.
- Having specific objectives. Rather than just “increasing awareness” about phishing, pick some specific behaviors you’d like to change, then take a baseline and measure progress. For example, rather than just sending users information on how to spot a phish, make sure you include specific behaviors to encourage, such as reporting the phish. This can serve as the basis for a metrics program around the effectiveness of your awareness efforts. Remember to keep the process of reporting a phish simple. For example, you can enable single-button reporting using the Report Message or Report Phishing add-in functions in Microsoft 365.
- Trying internal phishing campaigns. Phishing deserves special attention because it remains the No. 1 vector for security compromises. If you are not already self-phishing your employees, consider starting a program that sends simulated phishing emails to all employees periodically. If employees believe they are helping protect the company instead of simply passing a test, they will be much more engaged.
- Considering gamification if it fits your company’s culture. Gamification uses elements of game playing, such as point-scoring or competition, to encourage user engagement. The idea of gamification is that organizations can change security behaviors by turning awareness into a game. Consider trying methods like displaying a leaderboard and awarding digital badges or certificates based on games or completion of certain exercises.
Security Awareness Program Pitfalls to Avoid
Some common pitfalls of corporate security awareness programs can include:
- Focusing on the negative. The best security awareness programs avoid being overly punitive to employees who fail simulated phishing tests or awareness quizzes. Remember, your goal is to educate and raise awareness, not to punish employees or make them feel stupid. Instead of negative reinforcement, reward the correct behavior wherever possible and create an environment of positive reinforcement. This helps encourage the right behavior and encourages employees to continue reporting potential security incidents.
- Using a compliance-only approach that doesn’t factor in genuine business risk. While compliance requirements are important, they should not be the only driver for an awareness program. Instead, make sure you include general security knowledge and user behavioral management as goals of the program.
- Going overboard. Finally, avoid being overly repetitive or sending too much awareness material all at once. Remember that less is more. Sending out too much awareness material or sending it too frequently can cause a sense of apathy toward the whole program.
Security Awareness Program Tips
To ensure employees remain engaged with awareness content, it’s important to change your content and delivery mechanisms periodically. Cyberattacks evolve and change rapidly over time, and so should your awareness efforts.
Remember, the best security awareness programs are those that:
- Use a variety of themes that have direct relevance. Tailor your messages so that they have direct relevance to employees. This will help keep them engaged.
- Avoid punitive responses. People respond better when positive behaviors are reinforced rather than when incorrect behaviors are punished. While it may take only one phishing email to compromise a company, it also takes only one employee to report a suspicious email. Help employees feel empowered rather than oppressed by your efforts.
- Consider gamification. Applying point-scoring or competition with others can help encourage a stronger sense of engagement.
Security awareness represents one of the tougher communication challenges within an organization. Keeping content fresh and relevant and avoiding punishing users will help keep the program engaging. The way you structure and present material will have a major impact on its effectiveness.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.