Over the years I have seen the evolution of many different techniques and methods to make people aware of cyber security threats and risks. If there is an Essential 10, then it probably starts here:
1. Emails - those broadcast emails with tips, tricks, warnings etc. Send them out monthly and when a big threat arrives. Some people do read emails.
2. Posters - electronic or non-electronic, make sure you keep the notice boards full every quarter. Folks do get bored in lifts and I have even seen messages put up behind bathroom doors.
3. Cyber Security Week - line up with one of the Government campaigns and make it a full week of activity using every method.
4. Phishing Simulator - don't forget Smishing and Vishing too. Probably best to run these once per quarter and make sure that there is education once a click occurs.
5. Induction - If your new employee induction doesn't have a section covering cyber security then it's time to do so.
6. E-learning - What I now call an oldy but a goody, everyone just loves a 15 to 20 module on cyber security policy plus a quiz at the end. However, this remains very important from a governance perspective.
7. Desk drops - Everyone loves a chocolate bar and they usually read the little card, but another mouse pad may be too much. Coffee cups always come in handy, but "Securitykins" similar to those little objects put out by a large supermarket chain probably are not going to hit the spot... But hey, little branded firewalls and other security toys may be cool...
8. Films - When I call these a video, I get in trouble as only the older folks like me know what they are. Artistic folks have reminded me time and time again that "films" are the right term. A short 2 to 3 minute film on cyber security can have a big impact and they are fairly engaging. Play them over and over plus make sure you get an "Executive Producer" chair at the shoot.
9. The Toolbox Talk Kit - Make sure your leaders (sometimes called a manager) have a toolbox of security messages, brochures, presentations and more to pass on at team huddles (yes - meetings). Keep the kit updated every 6 months.
10. Intranet Site - No external audit is complete (if you want to move up the Big 4 security maturity scale) without an all out Intranet site full of security stuff for your people. Links to policies, who to contact for help, films, brochures and more should be there. Keep it updated as no one likes seeing at the bottom "Last Update 1st June 2009".
11. Gamified Security Awareness Training - You probably think this means some sort of Virtual Reality Simulator, but this is a type of training that really engages your people and gives them the skills, knowledge and experience to become cyber resilient. This is the kind of stuff that changes cultures and really deals with the people side that is challenging.
Although I mentioned 10 ways, the 11th one is new and should be part of your cyber security awareness arsenal. Talk to us about this type of system and how you can take cyber security to the next level in your organisation, small or large.
