Yes, getting staff attention for security awareness is hard.
It’s not that users don’t care. But everybody is fighting for their attention. And after all, the company is investing big money on security measures, so they’re probably safe anyhow.
Way too often, for each handful of truly enthusiastic users I find, there’s also a large community of half-interested users, a few plain uninterested ones and a handful of actual antagonist. Recognize this ? Your situation is worst ? Your Enterprise Security Awareness program is not appreciated?
Ditch it. And experiment with something new: make it personal.
Talk about security at home
While some people may not find much motivation in actively protecting their companies, everyone wants to make sure that their families and personal assets are safe. So, why not focusing on that?
I mean: Talk about security at home. Talk to your users about how to make sure their gmail account, social media account, smartphone, home WiFi, etc. stay safe and protected. They’re more likely to listen, learn… and do the same at work!
Security is not just a skill: it’s an attitude. It involves critical thinking more than technical expertise. As good manners, it’s not something learned and kept at home: it shows every day, in all aspects of life. Likewise, if your users pay attention to those pesky phishing mails at home, they will do so at the office too. If they know how to react when their phones are stolen, they will probably do the same for their professional devices.
For the last couple of years we’ve been applying this. For some of our clients, we’ve ran short sessions and published tips and tricks addressing specifically security at home. Simple, hands-on advice, without the constraints of what your corporate IT may or may not offer (think: password vault, two-factor authentication, …).
And the best part is: the security awareness program never got as much attention.
The effect of word of mouth has been extraordinary: each session got increasingly packed, as people went back to their desks and told their colleagues how security experts had helped them secure their Gmail account and Facebook profile. Users not only voluntarily came and listened, but actually asked questions and followed up over time through other channels. Some even ask for sessions for their kids!
Suddenly, there is new-found attention for security awareness!
This approach sparks conversations that keep building. We’ve got yet to measure this, but the first discussions held with staff from the targeted companies a few months after the sessions, suggest that key messages have been retained more effectively than those of previous e-learnings.
An interesting way to reboot your awareness program
Is this a silver bullet? Of course not. But it’s a start. It’s been opening the conversion in a more effective way than what we’ve tried before. And the incentive to adapt one’s behavior has proven stronger, as most employees are quite keen on protecting their own homes, assets and families.
In every session we gave, there was always at least one person who could tell about a friend or relative that had been “hacked” or a victim of online fraud. This is the best advertising you can get for what you’re saying.
This approach may also contribute to improving the perception of Security staff in your organization: from “those stupid people blocking everything” to the ones asking “how can we help you?”. And if you pay enough attention, you may even be able to identify highly engaged individuals who can become your security ambassadors or evangelists in the future.