Are you planning and implementing a security awareness campaign in your company? Here are 10 tips to keep in mind when implementing to make your campaign a success.
Whenimplementing a successful cybersecurity campaign, we focus on the three pillars of the TreeSolutionSecurity ABC. Therefore, we have structured our tips according to these three pillars:
a. Awareness & Communication (Awareness)
b. Training (Behavior)
c. Implementing a Security Culture (Culture)
We have therefore organized our tips according to these three pillars.
The most important stakeholders should be included in the planning. This means that you invite representatives from the departments, regions, and employee groups concerned and involve them in developing actions and the way in which communication is to take place.
These stakeholders are better informed about the challenges to be overcome in their area. They can give you information about employees' concerns and criticisms and make suggestions on how best to deal with them.
Stakeholders should also help determine the current state of knowledge and end-user needs. Do all employees have the same IT skills? Are there employees who need additional training or training in a different way than planned? Which current security measures do employees think have value and which do they see as a nuisance? Which measures have you implemented, or if not, why?
As we already said in tip 1, all stakeholders should be involved when planning a security campaign. This also means that all departments, employee groups, and management should work together to develop and implement the campaign to increase its chances of success.
Managers must give their support for the campaign and be role models for encouraging the desired secure behavior. They should motivate their employees to adopt secure behavior. For example, employees should not be concerned about reporting a phishing incident to their supervisor.
“Normal” employees can also act as role models and encourage their colleagues to behave securely. By demonstrating that it is not restrictive or does not hinder work, secure behavior will be adopted much faster and more easily by other employees.
If possible, ambassadors from all affected departments should be involved in thedevelopment of a campaign. The ambassadors help to develop the campaign and, if necessary, ensure that specific measures can be planned for their own department. They are also available to help and advise the employees in their department when it comes to implementation. The ambassadors are role models for the adoption of the new rules and behavior.
If you want to make people part of IT security, you need to consider key influencers in your campaigns and training. To promote and strengthen the security awareness of employees, their needs should be addressed.
In addition, keep in mind that motivation and ability to change behavior play a role in whether a change is accepted or not by the employees. For example, if older employees have little knowledge of computers, you cannot expect them to know about the risks of malware and what to look out for to prevent malware. You first need to explain to these employees what malware is and what damage it can cause.
Read more about how you can change employee behavior in our blog post.
People may learn effectively and efficiently in different ways. It is therefore important in information security campaigns to consider the different types of learners and to tailor the campaign and training material to them.
There are four types of learners:
Ideally, you will cater to all four types of learner. However, this is sometimes more challenging than expected.
Different target groups may need to be addressed in different ways and may require different information.
When explaining the status of information security or the security campaign to top management, consider the following points.
Changing employee behavior requires a different kind of communication from the one you use to change top management behavior. When communicating with employees, pay attention to the following points:
Part of your cybersecurity defense will be technical solutions like firewalls and password protection. On the other hand there is also a need for guidelines and regulations for the secure use of software and hardware, systems, and the secure handling of data and information. Support for these items comes from training and awareness. It is therefore important that the goals, content, and actions of a campaign correspond to the guidelines, specifications, and technical solutions.
The behavior that you want with respect to the guidelines must be integrated into the campaign. Any unnecessary training rules and behaviors will only waste energy and the risk is high that they will not be implemented. Depending on the department, job role, or region, risks or rules of conduct can also look different and should therefore be considered in the campaign.
Depending on the department and its responsibilities, other measures for secure behavior and training may be required. The TreeSolution Security Awareness Radar ® can be used to determine which level of security awareness exists and which measures are required in which department. You can use this tool to interview all employees including top management. The results can be shown at department level and thus allow targeted weak points to be identified and appropriate measures to be developed.
Not all employees need the same training. Employees who never work on the computers do not (in theory) need to be trained on phishing or malware. For this purpose, e.g. employees in the HR department who are particularly involved with data protection-relevant topics, must be trained on the subject of data protection.
Define high-risk areas and employee groups and train them on topics specific to them. This increases the security awareness of these employees and reduces the risk of a successful attack.
Define actions that you can measure quantitatively or qualitatively. This makes it easier for you to check later whether the measures of the security campaign have worked and whether the behavior of the employees has changed in the desired direction.
The security strategy should align with the goals of your business strategy. In addition, it should be developed in cooperation with the other departments so that different needs can be considered.
A comparison with your business goals also helps for getting management approval and financial support for campaigns or training. If you can show where and how the security strategy supports the business strategy, you increase the likelihood that the management endorses the security strategy and associated measures and actively supports them. This is essential for the adoption of a security culture.
A campaign should not be viewed as a stand-alone measure, but part of a larger whole, i.e., a security strategy. In order to know whether a campaign and its measures have led to the desired success, i.e. whether a security culture has emerged, it is important to measure the corporate culture on a regular basis and to adjust the strategy accordingly. It is therefore important that you plan measures that can be checked.
The Security Awareness Radar ® from TreeSolution, for example, can be used to check the entire security culture. Read more information here on what the Security Awareness Radar ® is and how it works.
Take the time to plan, prepare, and execute a campaign. Security awareness cannot be integrated into the corporate culture and adopted overnight. Information security and security awareness is an ongoing process that takes years. The best “human firewall” can only be achieved with constant education and learning.
Successful implementation of your security campaign will not be a given. But if you align with these 10 points, you will increase the probability that your campaign will be a success and that your employees will be able to make secure behavior part of their everyday (work) life in the long term. In this way, your employees protect your company and your data.
TreeSolution is there for you if you need support in developing and implementing a security awareness campaign. Contact us with your requirements via the contact form, by email or by phone.