“In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going past them. They are not engaging with it and not changing as a result.”
- Rather than attempt to cover everything at once, we’ve focused on a specific topic: ransomware is a real and present danger, a genuine business concern right now
- Next month’s topic will be something different: even if ransomware is not exactly gripping, perhaps the next topic will be, or the next …
- We’ve found interesting angles to put across (e.g. using IoT things either as hostages or as platforms for further mischief), hoping to catch the eyes of our audiences
- The manner in which we express stuff reflects the distinct needs of different audiences e.g. the basics for a general audience vs. higher-level strategy, governance, policy and metrics for the management audience vs. more detailed and technical content for professionals
- The materials address the key question "What’s in it for me?" both at a personal level and as integral parts of both the corporation and of society at large
- The variety and style of content supplied is designed to suit different learning preferences, for example some people prefer images and concepts, some prefer to read the written word, some like to be told or shown stuff, some like to chat about things, some just wanna have fun …
- The volume of content varies also according to the audience e.g. busy senior managers typically prefer a more succinct and direct style, with the option to explore further if they choose to do so
- We’re encouraging people from all parts and levels within the organization to interact on this one topic, socializing information security
- The content mixes factual, advisory and motivational stuff, giving people the knowledge and impetus to think and hopefully act more securely while avoiding the desperately lame "Do X" by laying out reasons and options
- The awareness materials are polished and professional, of the highest quality, designed as a coherent and consistent set that complement each other both within each module and across successive modules (e.g. we will surely mention malware again this year, and we will be looking for opportunities to bring up ransomware and IoT as a reminder of the March module
Drive up reporting of incidents, near-misses and concerns by making a concerted effort to thank or reward anyone who reports actual or suspected malware etc. Word will soon spread! Work closely with the Help Desk, IT and HR on this. Be generous to those who followed the correct procedures and helped avert potentially serious incidents. Weave reported issues into your awareness program, openly acknowledging those who reported them.
Aside from the ransomware metric described in the metrics paper this month, stark statistics about the prevalence of ransomware and malware can help put such matters on the agenda – within reason. It’s easy to default to an excessively sensationalist style that portrays everything in information security as a massive problem whereas, in reality, controls are strong enough on the whole to keep things in check. On the other hand, strong security may reduce the number and severity of incidents to the point that people (quite rightly!) start to question whether the organization is over-investing in this area and has become so risk-averse that the business is being unduly constrained. Aim for a careful balance. Surveys, infographics and other published statistics and commentaries can be used to reinforce the point that the threats are real and that other similar organizations are suffering costly and disruptive incidents, even if we are not.
OK, enough for now. I need to get on. The end of month deadline is starting to make that whooshing noise like an approaching steam train.
Source: NBlog – the NoticeBored blog @ February 27, 2017 at 06:33PM