October is ECSM, a month-long European event promoting good cyber security practices and safety. This years themes are:
Digital skills: personal data protection, cyber bullying and cyber stalking establishing good practices online.
Cyber scams: cyber threats such as phishing, business email compromise and online shopping fraud.
Red Goat Cyber Security has some exciting ideas for European Cyber Security Month, starting with 5 ways to increase engagement within your organisation not just in cyber security awareness month but throughout the year.
Make it personal
Top of the list is to make it personal. Make it about them -your staff – demonstrate the benefits for them as individuals AND as employees.
Much of what we learn in cyber security applies to personal as well as company defences. Individuals respond much better to things that they think benefit them personally than just “for the company”. Teach them things that they can teach their family and friends and this will help to reinforce the learning.
This is a real advantage over some other in-house training -Sure manual handling is important, but its not something staff are going to take home with them. In addition, share stories and case studies that indicate how cyber-attacks on companies have impacted the staff of that company. Make sure the training they do is reflected in annual goals as well as CPD hours.
If working in a group, or discussing information security in a meeting, get a discussion going on personal experiences. Share stories within the company of how staff members have spotted and thwarted attacks. Most people have a story to tell when it comes to cyber security, most people know someone, a family member or neighbour who has been an unfortunate victim. This helps people to understand that defending against cybercrime is something that is relevant to everybody.
Get their ideas
Staff on the front line know the problems they are facing better than anyone. They know what the common attacks are, what the security weaknesses in your organisation are. We have had so many great ideas from staff members during staff engagement sessions! Value their opinions, note and implement their recommendations where appropriate and practical and watch staff “take ownership” of the policies and practices rather than having them “imposed” from above. Consider starting a cyber ambassadors programme to help spread the message throughout the organisation.
Lead from the front!
It is critical that your senior managers participate and lead from the front when it comes to communicating the importance of defending the company against cyber threats. Make sure senior staff are present at staff briefings and participate where possible.
Ask your management team to be in the first wave of training and feedback their experiences either in meetings or in blogs/bulletins etc. If you have had good ideas from staff, get a management team member who isn’t a CISO to feedback on how it was implemented. If non-IT Senior managers take cybersecurity courses, make sure this is communicated internally in an appropriate manner.
Many people respond well to the opportunity to beat another team or department, especially when there are measurable prizes at stake. Compare the amount of money you spend per annum on technical defences with uplift in engagement you get from a £50 voucher or team Groupon event. Some ideas for competition include:
– Capture the flag exercises
-having a prize for the person who spots the most phishing or vishing attacks
-Points mean prizes – 20 points for completing the infosec quiz, 30 points for attending a webinar, 20 points for spotting a phishing email and first person to 100 points wins a prize.
-For IT staff have an internal bug-bounty event for the month with prizes for the bugs found.
Run companywide exercises
A fire drill isn’t just for senior management so why should a wargame exercise?
Part of the issue for low engagement is that cyber is always someone else’s problem. Yet when an attack is successful the additional workload, loss of customers, unwanted media exposure, effects everyone.
By running companywide exercises such as wargames and cyber crisis exercises you can demonstrate that you take the threat seriously AND, with a bit of effort, engage staff in the process. Once the exercise has been planned, try to involve as many people as possible in the exercise. Get staff likely to be affected to give updates to the crisis team, brief the staff as you go along (you would do that in a real attack right?) Afterwards have a staff debriefing meeting, thank staff for their involvement and sent out a summary of the event to staff with key learnings and ideas for how it could be improved in the future.