Creating an effective security awareness program

Security awareness programmes are essentially about managing human risk. An effective awareness program should not just be a one-off induction or yearly training video. Regular, ongoing user training and human interaction will empower and encourage people to report 'near-misses', issues and security incidents.

It starts at the top

If you want to create an effective security awareness and training programme, you'll need support from your leadership team. 

Often leaders want to know how any type of programme that may require resource fits in to the organisation’s business priorities, especially if costs are involved. And it can be difficult to show how investing in your people’s security awareness has a dollar value. 

Use what you know; incident data can help you show what impact managing human risk can have. Highlight to your team the impact that reducing human-targeted cyber security incidents will have on your organisation. 

It’s also important for leadership to understand that cyber security is no longer just an IT problem. Everyone should be invested in creating a more robust security model. 

Create a test team

When you start creating your program you will likely need help and support from different areas, depending on the size of your organisation. 

You may need your marketing and communications team to help promote it or your human resources team to create resources for it. Or for smaller organisations, it could be a team of two or three.

Whatever the size of the group, it’s a good idea to have people who support you, that you can test ideas on, and get feedback from. 

People are your best asset

Make every user a security champion in your organisation. 

A person spotting a phishing email and reporting it is useful information to the security team. A person being tricked into running a malicious file that they downloaded and then alerting the security team when they realise what they’ve done is invaluable in the protection of your networks.

Continuous training should inform users about current phishing campaigns, messages about strong password-use, media reports of password dumps and data breaches, the rise of phishing during Christmas time, or increased awareness of malicious package delivery emails and messages during the holidays.

Ensure that positive behaviour is rewarded rather than punishing mistakes. Negative reinforcement can lead to people in the organisation hiding issues as they arise rather than reporting them for fear of punishment. 

Similarly, try not to make cyber security a chore. For example, have a password policy that uses strong, unique passwords rather than requiring uses to change them every few months.

Make it easy to report

Create an easy and well-known process to report any 'near miss', suspected issues or security incidents to the security team. This could involve a button to report phishing emails, an easy-to-remember generic email address or phone number from the security team.

Tips and topics

It's a good idea to have a person in your team(s) who is considered the cyber security representative. This person should be able to answer basic cyber security questions from other team members, know the incident response plan, and have a good relationship with the security team to get further help.

The following are good, simple topics you could consider for an awareness campaign. 

  • How to identify phishing messages.
  • Social engineering techniques used by attackers.
  • Safe online browsing practices.
  • Creating good passwords and password hygiene.
  • How to use password managers.
  • Setting up and using multi-factor authentication (also called two-factor authentication).
  • Updating devices and software.
  • Social networking and privacy policies.
  • Data storage, protection, classification and destruction – vital if you have customer data.
  • Managing security and accessibility on mobile devices.
  • How to be secure when working remotely, including working from home.
  • What to do if your organisation experiences a cyber security incident. – working through your incident response plan.

You don’t have to start from scratch when putting together information for your people on these topics. Our website Own Your Online has a range of guides that can support you on advice for your people.

Guides - Own Your Online External Link

There are all sorts of activities you can run as part of a campaign to make it more interesting for your people. 

  • Get a cyber security specialist in to give a presentation to your users (CERT NZ can help with that!).
  • Put articles about cyber security on your intranet.
  • Run quizzes.
  • Add screensavers to user computers.
  • Provide competition prizes (eg. printed t-shirts).
  • Hand out desktop or table cards with cyber security tips on them.
  • Highlight cyber security on your internal media channels.
  • Encourage reporting malicious email, phone call, unknown behaviour to your security team.
  • Sign up for Cyber Smart Week. CERT NZ runs an annual security awareness campaign each October which provides resources and information for you to run the campaign within your organisation. 
  • Maintain a good relationship between your security team and users (example provide appropriate rewards for reporting security incidents or risks or regular updates and presentations).
  • Create a cyber security policy for your organisation External Link . Make it simple, short (1-2 pages) and easy to understand.

These are all activities that we’ve seen work well — but you may have other ideas for activities better suited to your organisation.

Regardless of what you decide, sharing information about cyber security won’t just help your people understand how to keep the organisation’s information secure, it’ll help them protect their personal information online too, so everyone benefits.