Each and everyday every person is bombarded with lots of information from many different sources that are all trying to get messages across. From the moment you look at your phone in the morning, switch on the television or radio, step on the bus or train there are messages coming to you from everywhere.
Over time we are able to subconsciously ignore these messages and its only something different or unique that captures our attention. Usually it is clever advertising techniques, but then sometimes you get home and don't remember a thing.
When it comes to getting cyber security messages across to your organisations people, customers and partners it is not much different. Everyone is battling the constant email, people don't have time to check the corporate Intranet page, the poster in the lift was just another poster and chocolate bar with a flyer was just another day in the office. The e-learning module you just completed nearly made you take another coffee for the day or luckily enough your desk neighbour did it yesterday and knew the answers to the quiz - phew!
And then there was induction, many years ago and who remembers that? It seemed fun but all a blur now. The last town hall, exciting but what was that whiz saying about cyber security? Seemed interesting, but hey the security team is looking after us. Hey look, just got an email from HR giving everyone a free voucher - better register now! Ahh no, that's the security folks running another phishing simulator so better not click. But oops, looks like I didn't pay an invoice, better open that attachment ASAP.
There is no doubt all organisations need a cyber security awareness strategy that covers multiple methods of communication using various techniques. Over the past few years Phishing, Smishing and even Vishing simulators have been the shiny new toy. But in my experience the following happens:
1st time: The first time you run a phishing simulator campaign, the impact is big. People really take notice probably from shock value and perhaps a bit of shame from being caught in the net. The messages and educational videos that followed the click are noticed. The CISO even gets a few calls saying "was just checking it out" and "I thought you folks were running something, I like it and that's why I clicked".
2nd time: The second time you run a campaign, someone will be running through the office telling everyone that security is at it again. Especially your sales teams who already worked out that this is now a competition as the executive will see the results. Sales came out best and no surprise IT was the worst bunch (after all, the security team has it under control with some cool technology).
3rd time: By this time shock value has gone, shame is not even on the menu and even the trusty old "Free Massage Voucher" hardly gets a click. FYI - "Free Massage Voucher" on your first campaign almost guarantees a 100% click rate, but check with your HR department first. At the 3rd time, HR is calling that there are concerns "about productivity" and people are asking what value is there.
4th time: If you run the campaign a 4th time in the first 6 months and your still the CISO, then good work. Please share how you managed to do it. By this stage, all the glamour has gone and only new employees got caught in the net and are wondering did they join the right company. Sales got 0% (not a single click) and the only time hitting 0% led to a win and IT hit 100% because they wanted to check the phishing simulator was still in production.
So hopefully if your not in shock after reading the points above, or perhaps you are even having a chuckle as you are the new CISO after the last one moved on. You are probably asking well what can we do next?
Your cyber security awareness and training arsenal (or toolset is you prefer the term) needs to include newsletters, posters, emails, Intranet portals, the hotline, cheat sheets, reminder cards/flyers, Phishing simulators etc etc. But if you want to really make your people aware and more resilient then the most effective method is cognitive engagement that is challenging, rewarding and in person. At the past two organisations I have worked, I led the use of a gamified solution that people come together and participate in. The training feedback was something I have never seen before and the average Net Promoter Score (NPS) "Would you recommend this system" averaged >9.5. The system developed in Europe is so unique, simple and effective that we at Cybercation have brought it to the market in Australia, New Zealand and Asia Pacific.
If your organisation doesn't effectively train your people in cyber security then the weakest link will remain.
