21st June 2021

10 tips for implementing a security awareness campaign

10 tips for implementing a security awareness campaign

Here's what to look for to make your campaign a success

Are you planning and implementing a security awareness campaign in your company? Here are 10 tips to keep in mind when implementing to make your campaign a success.

When implementing a successful cybersecurity campaign, we focus on three pillars - the TreeSolution Security ABC.

a. Awareness & Communication (Awareness)

b. Training (Behavior)

c. Implementing a Security Culture (Culture)

We have therefore organized our tips according to these three pillars.

Awareness & Communication (Awareness)

Tip 1: Include the most important stakeholders and analyze the end users

The most important stakeholders should be included in the planning. This means that you invite representatives from the departments, regions, and employee groups concerned and involve them in developing actions and the way in which communication is to take place.

These representatives are better informed about the challenges to be overcome in their area. They can give you information about employees' concerns and criticisms and make suggestions on how best to deal with them.

The stakeholders should also help analyze the end users. Do all the employees already have IT skills and know how to use a computer or do some of them also need to be trained in the basics? Which current security measures do employees think have value and which do they see as a nuisance? Which measures have you implemented, or if not, why not?

Tip 2: Cooperation between all departments and employee groups, including management

As we already said in tip 1, all stakeholders should be involved when planning a security campaign. This also means that all departments, employee groups, and management should work together to develop and implement the campaign to increase its chances of success.

Managers must give their support for the campaign and be role models for encouraging the desired secure behavior. They should motivate their employees to adopt secure behavior and conform with the campaign indications. For example, employees should not be concerned about reporting a phishing incident to their supervisor.

“Normal” employees can also act as role models and encourage their colleagues to behave securely. By demonstrating that it is not restrictive or does not hinder work, secure behavior will be adopted much faster and more easily by other employees.

Ambassadors for the campaign should be drawn from as many departments as possible. They help to develop the campaign and, if necessary, ensure that specific measures can be planned for their own department. They are also available to help and advise the employees in their department when it comes to implementation, and they are role models for the adoption of the new rules and behavior.

Tip 3: Don't forget the human factor

If you want to make people part of IT security, you must consider certain influencing factors in your campaigns and training. To promote and strengthen the security awareness of employees, be sure to address the following.

  • Use simple and understandable language with as few technical terms as possible for campaigns.
  • Avoid scary communication (“this is wrong”, “this is not allowed”, “is forbidden”, etc.) and use humorous elements instead. For example, risks can be conveyed with a cartoon.
  • Show risks and successes using internal examples. This helps employees to better identify with the company and the desired behavior and to implement it.
  • People’s behaviors differ depending on their culture. This can be regional (e.g., for international companies) but also depending on the department (finance vs. sales department). If the training is specific to a department or a region, the campaign should be based precisely on the cultural behavior of that department or region. In a cross-company campaign, it is best to try to cover everyone in the communication. That means that you address both the individual level ("I") and the community level ("we").
  • Security is often seen as a hindrance. It is therefore important to define measures that are easy to apply. Show how the desired behavior can be implemented in a simple way. Also show the advantages of secure behavior.

In addition, keep in mind that motivation and ability to change behavior play a role in whether a change is accepted or not. For example, if older employees have little knowledge of computers, you cannot expect them to know about the risks of malware and what to look out for to prevent malware. You first need to explain to these employees what malware is and what damage it can cause.

Read more about how you can change employee behavior in our blog post, part 1 and part 2.

Tip 4: Think about the types of learners

People may learn effectively and efficiently in different ways. It is therefore important in information security campaigns to consider the different types of learners and to tailor the campaign and training material to them.

There are four types of learners:

  • Visual learners
  • Auditory learners
  • Cognitive learners
  • Haptic learners

Ideally, you will cater to all four types of learner. However, this is sometimes more challenging than expected.

Tip 5: Communication with top management vs. employees

Different target groups may need to be addressed in different ways and may require different information.

When explaining the status of information security or the security campaign to top management, consider the following points.

  • Use clear and simple language with no technical terms.
  • Explain the connection to the business objectives. E.g., how does information security or the security campaign support the achievement of goals?
  • Name the greatest and most likely risks in your industry.
  • Clearly link the risks with the strategic goals and show ways in which the risks can be minimized.
  • Show the next steps.

Changing employee behavior requires a different kind of communication from the one you use to change management behavior. When communicating with employees, pay attention to the following points:

  • Avoid scary and intimidating communication.
  • Choose language that is simple and understandable.
  • Give examples from everyday life at home and at work from your company. Possibly even examples specific to a department.
  • Highlight the positive aspects of changing behavior. What exactly is the benefit to individual employees if they change their behavior?
  • Be aware of cultural differences when communicating within an international company (see tip 3).

Training (Behavior)

Tip 6: You need technical solutions, guidelines, and training

Part of your cybersecurity defense will be technical solutions like firewalls and password protection. On the other hand, you will also need guidelines and rules for the secure handling of software and hardware, security systems, and secure behavior with data and information. Support for these items comes from training and awareness. It is therefore important that the goals, content, and actions of a campaign correspond to the guidelines, specifications, and technical solutions.

The behavior that you want with respect to the guidelines must be integrated into the campaign. Any unnecessary training rules and behaviors will only waste energy and the risk is high that they will not be implemented. Depending on the department, job role, or region, risks or rules of conduct can also look different and should therefore be considered in the campaign.

Tip 7: Different departments have different needs

Depending on the department and its responsibilities, other measures for secure behavior and training may be required. The Security Awareness Radar ® can be used to determine which level of security awareness exists and which measures are required in which department. You can use the tool to interview all employees, including management. The results can be shown at department level or employee groups and thus allow targeted weak points to be identified and appropriate measures to be developed.

The same training may not apply for every department. Departments whose employees never work on computers do not (in theory) need to be trained on phishing or malware. Elsewhere, for example, employees in the HR department must be trained on issues relating to data protection.

Define high-risk areas and employee groups and train them on topics specific to them. This increases the security awareness of these employees and reduces the risk of a successful attack.

Tip 8: Define and select measurable actions

Define actions that you can measure quantitatively or qualitatively. This makes it easier for you to check later whether the measures of the security campaign have worked and whether the behavior of the employees has changed in the desired direction.

Implementing a security culture (Culture)

Tip 9: Compare the security strategy with the business strategy

The security strategy should align with the goals of your business strategy. In addition, it should be developed in cooperation with the other departments so that different needs can be considered.

A comparison with your business goals also helps for getting management approval and financial support for campaigns or training. If you can show where and how the security strategy supports the business strategy, you increase the likelihood that the management endorses the security strategy and associated measures and actively supports them. This is essential for the adoption of a security culture.

Tip 10: Check your security culture regularly and adjust it where necessary

A campaign should not be viewed as a stand-alone measure, but part of a larger whole, i.e., a security strategy. To know whether a security strategy is successful, whether the campaign measures are suitable and implemented, and whether a security culture is established in your company, the strategy must be checked regularly. It is therefore important that you plan measures that can be checked.

The Security Awareness Radar ® from TreeSolution, for example, can be used to check the entire security culture. Read more information here on what the Security Awareness Radar ® is and how it works.

Time is a key factor

Take the time to plan, prepare, and execute a campaign. Security awareness cannot be integrated into the corporate culture and adopted overnight. Information security and security awareness is an ongoing process that takes years. The best “human firewall” can only be achieved with constant education and learning.

A successful implementation

Successful implementation of your security campaign will not be a given. But if you align with these 10 points, you will increase the probability that your campaign will be a success and that your employees will be able to make secure behavior part of their everyday (work) life in the long term. In this way, your employees not only protect your company and your data, but also their private information.

TreeSolution is there for you if you need support in developing and implementing a security awareness campaign. Contact us with your requirements via the contact form, by email or by phone.