4 tips for an effective security awareness program
‘Your employees are the biggest vulnerability in the fight against cybercrime and digital threats.’
Sounds familiar? You can read anywhere how human behavior is the cause of data breaches and security incidents. We believe that people can be the strongest link in your organization’s security chain. And that a creative, positive approach to awareness plays a key role in the success of any security training.
In this article, we offer more tips besides a positive approach that have a positive impact on security awareness programs.
1. Challenge them!
Despite the fact that standards such as ISO 27001 and the BIO have required awareness training to be part of a security program for years, it has not led to the desired results. Passwords are still written down, phishing remains successful and habits of unsafe behavior online have by no means been banished.
That is partly due to the fact that approaching any security awareness program as a “must do” is detrimental to its intended results. Even when organizations are proactive on training, completion is often an end in itself – at the expense of attention to actual and structural long-term behavioral influence.
Do you introduce necessary knowledge merely to tick the boxes, or do you make it a challenging learning process that actually – and measurably – produces results?
2. Measuring is Knowing
The success of an awareness campaign hinges on having the right data. After all, information is power. The more insight you have into the level of information awareness of your employees, the better you can tailor a privacy awareness training course to the needs within your organization.
You do this by first measuring and analyzing the level of maturity in information awareness within the organization, because only then can you start to increase it. The outcome offers concrete action points for the future.
Behavior change is about cultures, not individuals. Measurements are often very individualized, with the result that subsequent programs tend to have the goal of increasing those averages (of that individual performance). It is therefore much more efficient to address the culture of the organization, where improvements in (collective) behavior need to be addressed – because that is the route to setting up your organization as a safety net to become stronger and more resilient.
The Culture scan reveals the present level of information awareness. At the same time, it challenges employees to reflect on their personal knowledge and behavior. Taking part in the survey is an awareness intervention in itself!
3. Communication, communication, communication
Take the time to introduce a new measure, create an overall plan and involve the appropriate department(s) such as marketing, communications and HR. These departments have the right skills to properly convey the message and importance of the policy. Therefore, take advantage of them.
Effectively influencing behavior requires more than information security alone. In other words, don’t introduce the new approach as a fait accompli, but engage your employees.
A ready-made adaptation of the policy, introduced overnight, is doomed to be taken for informational purposes only.
A communication concept serves as a capstone for all messages, including interventions related to security, privacy and/or integrity. Moreover, good communication is an intervention in itself when you share the practical spearheads of a security awareness campaign.
TIP: When communicating new measures, it is important to emphasize not only the when, but also the how and why of an adjustment. If you do not take the organization by the hand in this, then the measure becomes just another annoying obligation in a daily routine of many.
4. Beware desire lines
The fourth and final point is one we like to approach from our expertise in behavioral psychology. On security and privacy issues, such as e-mail, sending information to an unauthorized person and destroying sensitive documents at home, we often see that so-called “desire lines” are chosen.
Desire lines are trails that provide an alternative to official, paved routes. They slowly wear into the landscape as they are frequently used as alternative paths by pedestrians, cyclists or motorists – and thus only become more attractive to use.
How does that relate to working safely with information? Maarten Timmerman, director of Awareways: “Working securely is often more difficult than working non-securely, because it takes a bit of extra time. If you are busy or have an important deadline, for example, it can be very tempting to quickly cut short the ideal safe behavior – which takes just that little bit of extra effort– by taking the alternative route. For example, just a quick email instead of using the required route.”
In the case of a desire line, you often ignore the whole deliberate design of the infrastructure, of which road safety is always a part.
“With security measures, the importance of security and the conscious idea behind it also often seems like a distant concept, because the chances of things going wrong are small – right? And that might sometimes be true, because if you quickly use your private e-mail, that chance is indeed small. The problem, however, is that it’s not the chance of an incident, but the impact if it does go wrong…”
Additional reading materials: be sure to check out our checklist
How to implement new security measures effectively?
Your next step: Awareways
Security and privacy awareness is an instrument, sustainable behavioral change is the real goal. How can you effectively convey knowledge in a way that sticks, to measurably reach that goal? We are happy to answer that question for you!
Are you looking for security awareness training that goes beyond e-learning? An interactive program that achieves results thanks to stimulating gamification and offers participants the challenge of visible growth? Then our innovative experience platform might be the solution for your organization.
Reach out to us below. Or find out more about Wave here.