“Password check required immediately,” according to KnowBe4, is the most commonly used subject line in phishing emails – because it works. If ignored, these emails are harmless, but all too often, unsuspecting employees take the bait. Knowing this, awareness training for employees becomes even more important and a primary tool to boost a company’s cybersecurity posture. It is essential that employees are more security conscious, know what to look out for and what to do if they open the wrong email or click a “not so innocent” link.

IWC Schaffhausen’s Head of IT & Cyber Resilience, Sascha Maier, recently spoke on the topic at our Security Experts Roundtable (SEC.OS) and shared the following insights gleaned from the award-winning security awareness campaigns of a Swiss luxury watch manufacturer.

  1. Get Top-Down / Bottoms-Up Buy-In
    Before starting, make sure you have the board on your side. That will ensure you have the budget and support necessary to develop your campaign. The next step is to promote your mission internally. You’ll want buy-in from a network of stakeholders across the company. You’ll need their support to create, run, integrate, and maintain your security awareness campaigns. A few examples include,

    • Gaining a cybersecurity awareness slot in onboarding programs for new employees
    • Help with writing and designing documents, presentations, messaging, and other material
    • Developing rich media such as training webinars and podcasts for online training
    • Support for network hosting, delivery, maintenance, and promoting your campaigns through internal communications vehicles.
  2. Focus
    Covering all threat possibilities in a single awareness campaign is near impossible – a series of campaigns is the better approach. Start by assessing the most pressing threats your company faces, whether phishing, social media, password security, or something else. Based on your analysis and newly gained insights, create a communication plan to develop and schedule each of your campaigns.
  3. Get Creative
    How enthusiastically employees engage is, of course, one of the keys to the success of any awareness campaign. Appearances matter and having a graphics designer and a copywriter can ensure your campaigns look professional and appealing. Create a message, create visuals, and complement these with well-written content that’s clever and easy to grasp. Successfully executing these elements will help build excitement, curiosity and, most importantly, bring your message across.
  4. Leverage Others in Your Organization
    Use a steering committee comprised of individuals from all across your business. Allow them to preview upcoming campaign topics, designs, messages, etc., and have a say in the process. For example, let them choose which tagline to go with or which visuals to use. This committee will be the springboard to further promoting your program internally and help you shape it while it is still in development. Again, having a solid network in your company (step 1) is important at many levels in your campaigns.
  5. Showcase Success
    To further promote awareness of your campaign’s success, you must make a point of sharing the results. Has the number of breaches declined, or did someone stand out in their security-driven behavior? Reward them and acknowledge the workforce for their achievements. Recognition will encourage other employees to follow suit.
  6. Are We There Yet?
    Once you’re able to establish metrics, it’s time to pat yourself on the back. Metrics will (a) help you secure additional budget or other resources and (b) give you the foundation to launch new programs to improve your company’s long-term security posture. Which metrics to measure depends on your focus – check out SANS’ security awareness blog on metrics.
  7. Have Patience
    Don’t expect to achieve perfection with your first campaign. Awareness building is change management, in which people learn, understand, and practice new behavior. It may take several months to show initial results and is a matter of patience and persistence. Excitement and repetition will eventually make the difference.
  8. Surround Yourself with Other Experts
    The IT community is a valuable source of information, as are security leaders, who must – same as we all do – keep pace with change. With SEC.OS (Security Experts Circle – Open Systems), you can join a community of cybersecurity experts who meet periodically to build relationships, collaborate, share information, and hear from guest experts.

Remember to avoid finger-pointing or lecturing employees about security. The message of your awareness program is always to support the organization. You want to enable your team to be the strongest link, not the weakest.

Useful links:

SANS Free Awareness Newsletter

SANS Security Awareness Roadmap