So, you’ve finally convinced management of the need for security awareness training. What next?
I’ve been performing security awareness training for around 10 years, and doing it full time here at PTP for the last 3 and a half years. From the thousands of sessions I have run I’ve found the most important aspect is to make it relevant.
Now, everyone says that, but what does it really mean? What is relevant to you is different to what is relevant to someone in finance or HR or your boss etc.
Most awareness programs focus on highlighting what is demanded by policy, and is seen relevant to your boss as it helps to tick boxes come audit time, but is that actually effective at changing behaviours?
Some programs highlight real world examples, showing attacks that have happened to the organisation. Interestingly, whilst this is wise, it can mean that staff who wouldn’t typically be targets of those types of attacks might not see it as relevant to them and switch off. An example might be CEO fraud. Whilst hugely popular with attackers it really only targets a few staff members, typically in Finance. Is training for that going to help ALL staff?
In my experience you really need a combination of both policy-driven AND real-word training, but with the magic ingredient: making it personal. Making it personal is crucial if you want to engage staff (and you really do want to engage staff!) as this is the key to relevancy. Staff don’t see security at work as their problem, it’s yours. However, if tell them about security at home that is undeniably their problem. So, if I tell them how hackers can hack their social media profile or abuse their oversharing of personal data they are going to pay attention!
The other important element is to make it fun. You want your audience to enjoy themselves and not switch off. Try to look for examples that have an amusing element, and don’t be afraid to satirise yourself.
In my experience the most successful awareness campaigns include some face to face events c60 minutes no more than 30 people a session, but then also offer some online material, posters, flyers, CBT style training, lunch area events and regular communications. The more professional you can make this the better. Gimmicks like security mascots will just lead to derision, avoid them entirely.
Consider talking to your marketing teams or seek external resource to generate and build interest in the events in the way TV shows and movies generate interest. Food is often a good motivator to get people to your sessions, lunchtime sessions with free, good, food will often see the session full. If you have audit commitments make the events mandatory, however, the ideal is to generate so much interest that people will want to come anyway.
Branded gifts might be useful for encouraging attendees to come, but don’t underestimate simple things like the benefit of a drop-in centre for staff to come and seek advice for home PCs/social media, etc. problems. You could have an amnesty where staff can hand in unapproved USB devices in exchange for approved ones, or they can tell you about cloud services or other shadow IT they have signed up to so you can approve them formally.
In these situations it’s important to focus on the word ‘Yes’.
No one will come to you if you behave like a dictator and start blanket banning things. Staff generally behave security-badly when they have a need that you’ve not provided a solution for. You need to be able to say “yes, we can do that, however, x tool will suit our risk model better” or “can you do x before you use that service” (e.g. encrypt before uploading to Dropbox).
It is important to not see security awareness events as one-offs. They need to be regular. You don’t need to do it constantly, just make it frequent and regular and keep the message flowing. I recommend sessions are at least monthly. Work out how staff actually digest information (not just how internal communications think they do), be that with email, instant message, intranet, etc, then use that to communicate regularly.
You need to get management support and engagement. They need to lead and embrace security awareness and of course give the staff time to attend these events. There is a cost of course, but the benefit is that with enhanced training the business less likely to end up on the front pages of the news for a data breach.
Current/recent attacks
Mobile phone settings
Social media
Home PC/Mac controls
Passwords
Other policies
Live demos
These can carry a lot of weight and are often simple to do. I have already written about setting up attachment based phishing attacks
These aren’t exhaustive lists and each awareness program will be unique to the needs of the organisation and the people being trained, but whatever you do focus on the key element of making it personal. Good luck and let me know how you get on!
Tweet me @tonygee.