In an age where every news outlet from TMZ to the Wallstreet Journal is reporting what feels like daily data breaches, clients and government(s) are requiring us to train employees on data privacy/information security. More times than not we miss an opportunity to create a new culture. Security Awareness Training is not a fad. It will not be replaced by some other knee-jerk reaction to a global or market trend. As digital storage, mobile devices, and sharing of information continue to evolve, so must your program. This is not about buying off the shelf content to check a box during a client audit anymore. It is no longer about creating awareness. I think WannaCry, the ever-expanding Equifax breach, and the Yahoo breaches have created more awareness we ever could. So, if it is not about creating awareness anymore what should our Security Awareness Programs be doing? Our Security Awareness Program must be creating and fostering a Security Culture!
What’s in a Culture anyway? Culture is defined as the act of developing the intellectual and moral faculties, especially by education. I like the definition for our purpose because it is no longer enough to hold annual training. Awareness is no longer good enough. Awareness does not strengthen the weakest point of my physical infrastructure or data network, i.e. the humans who use it. Awareness is not just a checkbox on an audit sheet or a marketing slick. Developing your employees year-round, consistently communicating, educating, and yes testing. That builds a culture!
Showing Value to Create Buy-in We just do a ton of software training by wielding a giant stick! The value in most of these training sessions, is you get to keep your job and maybe not yell at your computer because you know the software functionality. That method does not lend itself to changing hearts and minds. Again, we need to create a living culture, where employees are invested in the firm’s security performance. To do that we need to sell people on the benefits and as always what is in it for them!
Selling a Security Culture maybe the easiest thing you ever do in your professional life. Take a room of 20 people, someone in that room has experienced identity theft, phishing, credit card skimmers, malware, or maybe been the victim of a physical crime. Using the personal stories of your employees helps create buy-in and builds value. While further driving home the importance of your security awareness program. Remind your learners this is not just policies and procedures, this is a new life skill that they’ll use every day in their personal and professional life. Through it, they will enrich those around them in their personal lives with the information and skills developed and nurtured through the security awareness program.
Stock your Toolbox There is no perfect time to start implementing your program, just do it. This is a year-round program with no end date. While you need to be flexible enough to address current and potential threats to your firm and individuals, you also need to at least have a quarterly plan in place. Building a cultural program affords you the opportunity to get out of your learning/training comfort zone. Expose your learners to new learning methodologies and exciting delivery mediums. Below are some methodologies and delivery mediums that have worked well.
- Microlearning Video 90-120 secs
- Use short videos to educate or highlight the right and wrong procedures
- I enjoy using the Vyond (formerly GoAnimate) platform for these videos
- If you have the skills, doing your own SNL style videos with firm employees. These always goes over well and you will be surprised by the number of volunteers. The entry level cost is cheap now. You pretty much just need a current generation smart phone or tablet and $50-100 editing software. Remember you are not trying for an Emmy.
- Place them in breakrooms & cafeterias. Try to rotate them quarterly to keep things fresh.
- One Page front and back Quick Reference Cards
- New Threats
- New Protection Solutions
- Product/Service Spotlight
- Best Practices i.e. Rental Car Bluetooth
- eLearning modules - not to exceed 6 mins
- Now most TED talks violate my 6mins or less rule so make sure your learners know the length of the content.
- Interviews - with firm security personal, clients, vendors, consultants, etc
- Quarterly Q&A/Round Table Sessions
- Pen Testing
- Phishing emails – bad links and attachments
- IT “Infected” USB Drives scattered about your campus
I’m really big fan of making sure I alternate methodologies in every communication. Build out your quarterly schedule, setup your topics and delivery method/medium. This is a non-stop program. If you don’t build in the variety you will burn yourself and your audience out!
Develop or Maintain a Cadence! Remember building a culture is not easy. There is no “Set it and Forget it”! You are developing a skillset across your firm against the fastest changing threat on the planet. It requires a creative and nurturing program that instills a healthy sense of paranoia, not crippling fear. One of the most successful ways of preventing slipping after year one is a rewards program. Incentivize people to identify/report security issues real, perceived, or questionable. The rewards don’t have to be cash or prizes. Rewards can encompass any type of recognition: a certificate, badges (look at Untappd for inspiration), extend lunch break, or the use of a special parking spot. Just be creative and genuine. You are encouraging and supporting a culture change.
We all know people are the weakest part of any security solution. Create ownership make everyone an extension of the security department where every employee in any organization has a dotted line to the head of security.
Is it Working? Well in the security world that’s an easy question to answer. Have you had a data breach? Got Malware or Ransomware?
#Security#AwarenessTraining