21st June 2021

10 tips for implementing a security awareness campaign

Security Awareness Campaign: Light bulb surrounded by many different pictograms.

Here's what to look for to make your campaign a success

Are you planning and implementing a security awareness campaign in your company? Here are 10 tips to keep in mind when implementing to make your campaign a success.

Whenimplementing a successful cybersecurity campaign, we focus on the three pillars of the TreeSolutionSecurity ABC. Therefore, we have structured our tips according to these three pillars:

a. Awareness & Communication (Awareness)

b. Training (Behavior)

c. Implementing a Security Culture (Culture)

We have therefore organized our tips according to these three pillars.

Awareness & Communication (Awareness)

Tip 1: Include the most important stakeholders and end-user needs

The most important stakeholders should be included in the planning. This means that you invite representatives from the departments, regions, and employee groups concerned and involve them in developing actions and the way in which communication is to take place.

These stakeholders are better informed about the challenges to be overcome in their area. They can give you information about employees' concerns and criticisms and make suggestions on how best to deal with them.

Stakeholders should also help determine the current state of knowledge and end-user needs. Do all employees have the same IT skills? Are there employees who need additional training or training in a different way than planned? Which current security measures do employees think have value and which do they see as a nuisance? Which measures have you implemented, or if not, why?

Tip 2: Cooperation between all departments and employee groups, including management

As we already said in tip 1, all stakeholders should be involved when planning a security campaign. This also means that all departments, employee groups, and management should work together to develop and implement the campaign to increase its chances of success.

Managers must give their support for the campaign and be role models for encouraging the desired secure behavior. They should motivate their employees to adopt secure behavior. For example, employees should not be concerned about reporting a phishing incident to their supervisor.

“Normal” employees can also act as role models and encourage their colleagues to behave securely. By demonstrating that it is not restrictive or does not hinder work, secure behavior will be adopted much faster and more easily by other employees.

If possible, ambassadors from all affected departments should be involved in thedevelopment of a campaign. The ambassadors help to develop the campaign and, if necessary, ensure that specific measures can be planned for their own department. They are also available to help and advise the employees in their department when it comes to implementation. The ambassadors are role models for the adoption of the new rules and behavior.

Tip 3: Don't forget the human factor

If you want to make people part of IT security, you need to consider key influencers in your campaigns and training. To promote and strengthen the security awareness of employees, their needs should be addressed.

  • Use simple and understandable language with as few technical terms as possible.
  • Avoid scary communication (“this is wrong”, “this is not allowed”, “is forbidden” etc.) and instead, use ntrust-building and perhaps even humorous elements. For example, risks can be conveyed with a cartoon.
  • Show risks and successes using internal examples. This helps employees to better identify with the company and the desired behavior and to implement it.
  • People’s behaviors differ depending on their culture. This can be regional (e.g., for international companies) but also depending on the department (finance vs. sales department). If the training is specific to a department or a region, the campaign should be based precisely on the cultural behavior of that department or region. In a cross-company campaign, it is best to try to cover everyone in the communication. That means that you address both the individual level ("I") and the community level ("we").
  • Security is often seen as a hindrance. It is therefore important to define measures that are easy to apply. Show how the desired behavior can be implemented in a simple way. Also show the advantages of secure behavior.

In addition, keep in mind that motivation and ability to change behavior play a role in whether a change is accepted or not by the employees. For example, if older employees have little knowledge of computers, you cannot expect them to know about the risks of malware and what to look out for to prevent malware. You first need to explain to these employees what malware is and what damage it can cause.

Read more about how you can change employee behavior in our blog post.

Tip 4: Think about the types of learners

People may learn effectively and efficiently in different ways. It is therefore important in information security campaigns to consider the different types of learners and to tailor the campaign and training material to them.

There are four types of learners:

  • Visual learners
  • Auditory learners
  • Cognitive learners
  • Haptic learners

Ideally, you will cater to all four types of learner. However, this is sometimes more challenging than expected.

Tip 5: Communication with top management vs. employees

Different target groups may need to be addressed in different ways and may require different information.

When explaining the status of information security or the security campaign to top management, consider the following points.

  • Use clear and simple language with no technical terms.
  • Explain the connection to the business objectives. E.g., how does information security or the security campaign support the achievement of goals?
  • Name the greatest and most likely risks in your industry.
  • Clearly link the risks with the strategic goals and show ways in which the risks can be minimized.
  • Show the next steps.

Changing employee behavior requires a different kind of communication from the one you use to change top management behavior. When communicating with employees, pay attention to the following points:

  • Avoid scary and intimidating communication.
  • Choose language that is simple and understandable.
  • Give examples from everyday life at home and at work from your company. Possibly even examples specific to a department.
  • Highlight the positive aspects of changing behavior. What exactly is the benefit to individual employees if they change their behavior?
  • Be aware of cultural differences when communicating within an international company (see tip 3).

Training (Behavior)

Tip 6: You need technical solutions, guidelines, and training

Part of your cybersecurity defense will be technical solutions like firewalls and password protection. On the other hand there is also a need for guidelines and regulations for the secure use of software and hardware, systems, and the secure handling of data and information. Support for these items comes from training and awareness. It is therefore important that the goals, content, and actions of a campaign correspond to the guidelines, specifications, and technical solutions.

The behavior that you want with respect to the guidelines must be integrated into the campaign. Any unnecessary training rules and behaviors will only waste energy and the risk is high that they will not be implemented. Depending on the department, job role, or region, risks or rules of conduct can also look different and should therefore be considered in the campaign.

Tip 7: Different departments have different needs

Depending on the department and its responsibilities, other measures for secure behavior and training may be required. The TreeSolution Security Awareness Radar ® can be used to determine which level of security awareness exists and which measures are required in which department. You can use this tool to interview all employees including top management. The results can be shown at department level and thus allow targeted weak points to be identified and appropriate measures to be developed.

Not all employees need the same training. Employees who never work on the computers do not (in theory) need to be trained on phishing or malware. For this purpose, e.g. employees in the HR department who are particularly involved with data protection-relevant topics, must be trained on the subject of data protection.

Define high-risk areas and employee groups and train them on topics specific to them. This increases the security awareness of these employees and reduces the risk of a successful attack.

Tip 8: Define and select measurable actions

Define actions that you can measure quantitatively or qualitatively. This makes it easier for you to check later whether the measures of the security campaign have worked and whether the behavior of the employees has changed in the desired direction.

Implementing a security culture (Culture)

Tip 9: Compare the security strategy with the business strategy

The security strategy should align with the goals of your business strategy. In addition, it should be developed in cooperation with the other departments so that different needs can be considered.

A comparison with your business goals also helps for getting management approval and financial support for campaigns or training. If you can show where and how the security strategy supports the business strategy, you increase the likelihood that the management endorses the security strategy and associated measures and actively supports them. This is essential for the adoption of a security culture.

Tip 10: Check your security culture regularly and adjust it where necessary

A campaign should not be viewed as a stand-alone measure, but part of a larger whole, i.e., a security strategy. In order to know whether a campaign and itsmeasures have led to the desired success, i.e. whether a security culture has emerged, it is important to measure the corporate culture on a regular basis and to adjust the strategy accordingly. It is therefore important that you plan measures that can be checked.

The Security Awareness Radar ® from TreeSolution, for example, can be used to check the entire security culture. Read more information here on what the Security Awareness Radar ® is and how it works.

Time is a key factor

Take the time to plan, prepare, and execute a campaign. Security awareness cannot be integrated into the corporate culture and adopted overnight. Information security and security awareness is an ongoing process that takes years. The best “human firewall” can only be achieved with constant education and learning.

A successful implementation

Successful implementation of your security campaign will not be a given. But if you align with these 10 points, you will increase the probability that your campaign will be a success and that your employees will be able to make secure behavior part of their everyday (work) life in the long term. In this way, your employees protect your company and your data.

TreeSolution is there for you if you need support in developing and implementing a security awareness campaign. Contact us with your requirements via the contact form, by email or by phone.

Stay up to date with our newsletter and blog subscription:

Thank you for subscribing to the newsletter.
Something went wrong while submitting the form.