Are you planning and implementing a security awareness campaign in your company? Here are 10 tips to keep in mind when implementing to make your campaign a success.
When implementing a successful cybersecurity campaign, we focus on three pillars - the TreeSolution Security ABC.
a. Awareness & Communication (Awareness)
b. Training (Behavior)
c. Implementing a Security Culture (Culture)
We have therefore organized our tips according to these three pillars.
The most important stakeholders should be included in the planning. This means that you invite representatives from the departments, regions, and employee groups concerned and involve them in developing actions and the way in which communication is to take place.
These representatives are better informed about the challenges to be overcome in their area. They can give you information about employees' concerns and criticisms and make suggestions on how best to deal with them.
The stakeholders should also help analyze the end users. Do all the employees already have IT skills and know how to use a computer or do some of them also need to be trained in the basics? Which current security measures do employees think have value and which do they see as a nuisance? Which measures have you implemented, or if not, why not?
As we already said in tip 1, all stakeholders should be involved when planning a security campaign. This also means that all departments, employee groups, and management should work together to develop and implement the campaign to increase its chances of success.
Managers must give their support for the campaign and be role models for encouraging the desired secure behavior. They should motivate their employees to adopt secure behavior and conform with the campaign indications. For example, employees should not be concerned about reporting a phishing incident to their supervisor.
“Normal” employees can also act as role models and encourage their colleagues to behave securely. By demonstrating that it is not restrictive or does not hinder work, secure behavior will be adopted much faster and more easily by other employees.
Ambassadors for the campaign should be drawn from as many departments as possible. They help to develop the campaign and, if necessary, ensure that specific measures can be planned for their own department. They are also available to help and advise the employees in their department when it comes to implementation, and they are role models for the adoption of the new rules and behavior.
If you want to make people part of IT security, you must consider certain influencing factors in your campaigns and training. To promote and strengthen the security awareness of employees, be sure to address the following.
In addition, keep in mind that motivation and ability to change behavior play a role in whether a change is accepted or not. For example, if older employees have little knowledge of computers, you cannot expect them to know about the risks of malware and what to look out for to prevent malware. You first need to explain to these employees what malware is and what damage it can cause.
Read more about how you can change employee behavior in our blog post, part 1 and part 2.
People may learn effectively and efficiently in different ways. It is therefore important in information security campaigns to consider the different types of learners and to tailor the campaign and training material to them.
There are four types of learners:
Ideally, you will cater to all four types of learner. However, this is sometimes more challenging than expected.
Different target groups may need to be addressed in different ways and may require different information.
When explaining the status of information security or the security campaign to top management, consider the following points.
Changing employee behavior requires a different kind of communication from the one you use to change management behavior. When communicating with employees, pay attention to the following points:
Part of your cybersecurity defense will be technical solutions like firewalls and password protection. On the other hand, you will also need guidelines and rules for the secure handling of software and hardware, security systems, and secure behavior with data and information. Support for these items comes from training and awareness. It is therefore important that the goals, content, and actions of a campaign correspond to the guidelines, specifications, and technical solutions.
The behavior that you want with respect to the guidelines must be integrated into the campaign. Any unnecessary training rules and behaviors will only waste energy and the risk is high that they will not be implemented. Depending on the department, job role, or region, risks or rules of conduct can also look different and should therefore be considered in the campaign.
Depending on the department and its responsibilities, other measures for secure behavior and training may be required. The Security Awareness Radar ® can be used to determine which level of security awareness exists and which measures are required in which department. You can use the tool to interview all employees, including management. The results can be shown at department level or employee groups and thus allow targeted weak points to be identified and appropriate measures to be developed.
The same training may not apply for every department. Departments whose employees never work on computers do not (in theory) need to be trained on phishing or malware. Elsewhere, for example, employees in the HR department must be trained on issues relating to data protection.
Define high-risk areas and employee groups and train them on topics specific to them. This increases the security awareness of these employees and reduces the risk of a successful attack.
Define actions that you can measure quantitatively or qualitatively. This makes it easier for you to check later whether the measures of the security campaign have worked and whether the behavior of the employees has changed in the desired direction.
The security strategy should align with the goals of your business strategy. In addition, it should be developed in cooperation with the other departments so that different needs can be considered.
A comparison with your business goals also helps for getting management approval and financial support for campaigns or training. If you can show where and how the security strategy supports the business strategy, you increase the likelihood that the management endorses the security strategy and associated measures and actively supports them. This is essential for the adoption of a security culture.
A campaign should not be viewed as a stand-alone measure, but part of a larger whole, i.e., a security strategy. To know whether a security strategy is successful, whether the campaign measures are suitable and implemented, and whether a security culture is established in your company, the strategy must be checked regularly. It is therefore important that you plan measures that can be checked.
The Security Awareness Radar ® from TreeSolution, for example, can be used to check the entire security culture. Read more information here on what the Security Awareness Radar ® is and how it works.
Take the time to plan, prepare, and execute a campaign. Security awareness cannot be integrated into the corporate culture and adopted overnight. Information security and security awareness is an ongoing process that takes years. The best “human firewall” can only be achieved with constant education and learning.
Successful implementation of your security campaign will not be a given. But if you align with these 10 points, you will increase the probability that your campaign will be a success and that your employees will be able to make secure behavior part of their everyday (work) life in the long term. In this way, your employees not only protect your company and your data, but also their private information.
TreeSolution is there for you if you need support in developing and implementing a security awareness campaign. Contact us with your requirements via the contact form, by email or by phone.
