Once you have read my article, you will have a good idea on how to approach your IT security awareness campaign. You will get concrete advice on choosing topics, forming alliances and how to measure how well your campaign worked.
IT security is hardly known for being the world's sexiest topic. In the eyes of many, it is time-consuming, limiting and boring.
A run down car can get purple fringe tail lights, 30-inch fins and a Palomino dashboard - and become Greased Lightnin'. Similarly, you can give IT security a makeover in order to make the topic more accessible, relevant and exciting.
This is what you do:
- get the support of the management
- choose the right topics
- meet people where they are
The support of management
You must first and foremost ensure the involvement of the management. There are two reasons for this:
For one thing, the employees should hear from the management why IT security is important. The message then carries more weight.
For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need, if you make it clear to the management as to why you need an awareness campaign. If an IT audit has resulted in findings and recommendations or if you need to follow ISO 27001, you will have a compelling argument. Awareness is a requirement set out in ISO 27001 and ISO 27002, so there is no way around this. A focus on IT security can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.
Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you to reach out to the employees in a language they understand.
Choose the right topics
With the backing of your new allies, you should now figure out the areas on which your awareness campaign should focus. There are many topics from which to choose, some heavier than others, and unnecessary information needs to be removed.
Consider the problems you have experienced based on the ignorance of users. A few examples may be:
- Guests to the company are not registered when they arrive and they walk around without access cards.
- Documents with confidential information are lying around in an unlocked room.
- Sensitive personal information is not sent through secure email (encrypted).
If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and of what they are unsure. You can also consider whether you recently began to use new systems or carry out tasks in a new manner. Have the employees become familiar with this or are there many mistakes?
You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must make sure to use simple and powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often.
Meet people where they are
Now you need to go out and meet people where they are. The employees sit in front of their computers, they eat in the cafeteria and they go to Friday morning meetings. This is where you should meet them. One way to do this is by means of:
- Happenings - Little funny things that get people talking. This can involve small figures or other such things placed on the employees’ table, or by handing out chocolate bars in exchange for them agreeing never to share their passwords with anybody. The possibilities are limited only by your imagination and it does not even have to be especially expensive.
- Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
- Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
- Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why IT security is important.
- Morning meetings - If everyone is assembled to a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
- Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.
An employee awareness quiz can also show management that your awareness campaign has had an effect on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas in which you need to do more to train the employees.
So, can you make IT security sexy? You can at least come a long way when you make it accessible, relevant and interesting.
There are many programs that can help you make quizzes. The new SecureAware Quiz module from Neupart not only makes it possible for you to write your own questions and answers, but also follows up on how many have been answered correctly. You also get an entire library of questions/answers concerning IT security from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001. Read more here
About the Author: Lone Forland is a product specialist at Neupart and offers instruction in awareness campaigns, among other topics. Lone Forland furthermore helps Neupart's customers get started with Neupart's ISMS tool, SecureAware, and serves as a liaison between customers and development.