Updated September 7, 2021
Cyber-crime is on the rise. Your organization is at more risk today than ever – and that risk will continue to rise. How safe are you really? How exposed are you to hackers – and how equipped are you to thwart them?
To have good cyber security in the workplace, you need staff on your side. They’re your best defense – but only if they’re properly informed and motivated.
One click is all it takes. Malicious software or an infected website link, and the company’s sensitive data and computer system are at risk. Small wonder that 95% of cyber security breaches are due to human error.
Protect your organization with these tactics for creating an unmissable cyber security awareness program - and then read our month's worth of tips for National Cybersecurity Awareness Month.
How to Improve Cyber Security Awareness
The old ‘it won’t happen to us’ defense is a thing of the past. When almost one in three organizations have experienced cyber-attacks, it’s a matter of ‘when’ – not ‘if’.
Cyber security awareness training is essential to educate staff on the risks and embed the right behaviors. Follow these 6-step security tactics to help your education program get attention and be remembered.
1. Focus on the “must-see” policies
Not everything can be a “must” – and not all “musts” are equal. Focus on the issues most likely to happen or those with the biggest risk. You need to decide what NOT to communicate. An effective employee security awareness program helps people understand key policies – not to know everything possible.
2. Connect training to 'hot button’ topics
Ask employees about the security issues and behaviors they see in their areas of work. If you’re already communicating and behaviors are not changing, ask staff why. This will help you to understand their motivation and connect to their “hot buttons”.
3. Create compelling content
Construct your security messages in a way that gets noticed. Give them titles like newspaper headlines to grab attention. Summarize the body content into short, punchy and easy to digest formats. For maximum impact you need to engage people with messages and connect on an emotional level.
4. Use targeting to improve relevance
What information does each audience require? Are there high-risk areas that need additional or different types of security communication? Target messages to different audiences depending on the security issues the different audiences face.
5. Repeat key messages in multiple channels
Repackage key information into bite-sized pieces and reinforce messages through multiple channels. Repetition drives recall. It also allows you to communicate more effectively and with less impact on day-to-day operations. Maintain a library of security awareness resources to reuse as required.
6. Define behavior changes – and measure the impact
Clearly define the changes required as an outcome of any security awareness campaign. Use channel reporting and staff surveys to measure the impact, from readership levels to behavioral change. To best quantify results, collect benchmark data before launching the campaign.
Effective cyber security awareness campaigns educate staff, drive action and track results. The SnapComms multi-channel platform uniquely delivers these.
Raise awareness and promote key messages through dynamic screensavers and wallpaper – passive yet powerful. Get instant readership with high-impact alerts – cutting through workplace noise when time is of the essence. Build employee engagement using interactive surveys and quizzes.
Want to learn more? Explore the SnapComms employee communication platform.
A Month of Cyber Security Awareness Tips
October is National Cybersecurity Awareness Month, so what better opportunity to get your employees up to speed. We’ve collected a whole month of cyber security tips for employees. One tip every day to engage your staff and improve your cyber security.
1. Enlist support from the top – Involve senior leaders to help you emphasize the importance of cyber security. This could be via a leadership blog or video message – watching the message delivered directly from the top adds authority and credibility.
2. Use past security breaches as learning examples – Provide examples of real data breaches and other security incidents. For example, Information Security spending is forecast to reach $174.5 billion in 2022. Or, the average cost of a data breach in the US grew from $3.54 million in 2006 to $8.19 million in 2019 – a 130% increase in 14 years.
3. Apply visual cues – Use unique branding for cyber security messages so staff immediately identify the nature of the message and act accordingly. Color-code based on urgency. For example, red = critical (alert of security breach), orange = warning (known phishing activity underway) and green = information (policy or process updates). Visual cues build employee recall every time you send a message to staff.
4. Dedicate a high-priority channel – Only use high-impact communication channels for high-priority messages. Desktop Alerts which bypass email and pop up on employee computer screens are very effective in getting attention fast when you need it.
5. Encourage questions – Invite questions from staff around the process, terminology or any other part of cyber security. Fostering a two-way dialogue is important in building bridges between the IS team and employees in the wider organization. It also demonstrates your receptivity to their feedback. Silence is the enemy.
6. Emphasize the why – Engagement and behavior change increase when employees understand the reasons behind cyber security precautions. Before enforcing network security measures such as switching off HTML or removing auto complete on email, make sure to include the ‘why’ behind these restrictions.
7. Share your data classification protocol – Train staff on the importance of information classification in preventing information leakage. When data is classified, and shared with employees, it can raise security awareness, preventing data loss and complying with legislation.
8. Put idle screens to use – Employee computer screens are an opportunity to reinforce your key messages. Use corporate screensavers to promote correct online behavior or encourage staff to report suspicious activity. You can’t remind staff too often.
Want to see how these message templates could help your organization?
Try them for yourself with a free 30-day trial of SnapComms.
9. Use positive messaging – Encourage compliance with security policies by appealing to the psychological desire for pleasure. Showing employees the positive results of behaving correctly, such as personal satisfaction and peer approval, encourages them to associate pleasure with compliance. Who said psychology and security didn’t go together?
10. Optimize for audiences – Not all employees are working on a desktop in an office. Consider staff not in other environments when producing and sending your cyber security messages. Make sure messages are optimized for remote or field-based staff using mobile devices, or use digital signage to reach non-desk-based staff in common areas.
11. Establish champions – Create advocates in each department to ‘fly the flag’ for cyber security at a grass roots level – where employees have most interactions each day. These advocates can help you deliver IS information, provide updates and collect feedback, all at a much more granular level than IS Managers could do alone.
12. Gamify – Gamification is a great way of reinforcing a message in an engaging way that staff enjoy, not dread. A simple example of this is creating a staff quiz to educate staff and get them thinking about online best practices. For longer campaigns, create leader boards and broadcast updates to keep energy levels and interest high.
13. Jargon-bust – Remove the mystery behind cyber security ‘big words’ by listing terms alongside their meaning. For example, what is 2FA or two-factor authentication, what does cyber hygiene mean? Maybe quiz staff on what they think the terms mean to get them thinking.
14. Celebrate achievements – Bad news gets attention – and there are lots of bold stories about cyber-crime in the news. But add balance to your communications by also celebrating the things staff and the company have done well. Such as the number of phishing attacks stopped this month/year, or accolades you’ve earned for security compliance.
15. Use "storytorials" – Real world examples bring issues and risks to life. Employees understand that since this happened to someone, it could happen to them. But don’t just repeat the facts of the case. Make it into a story by describing the company, the types of people who work there and the elements they share with your company – before getting into the incident itself.
16. Integrate throughout employment – Cyber security isn’t a ‘one and done’ lesson. Integrate it into every stage of an employee’s life cycle with your company. That is, include it in onboarding materials for new hires, deliver a refresher after 1 year, and invite them to become departmental advocates (see above) after 3 years.
17. Make it memorable – Give staff something physical that jogs their memory every time they see it. Having a security-branded notepad or stress ball on every desk is a great way to keep the topic visible between communication campaigns. Plus, everyone loves a free gift.
18. Practice your plan – Run dummy scenarios with employees regularly (after all, you do this for exercises like fire drills). Make these as realistic as possible and ensure all key personnel are involved. As well as familiarizing everyone with the process in a close-to-life scenario, it also helps identify any areas of weakness that should be addressed.
19. Encourage positive culture – Promote company values around scam awareness. Cyber criminals are constantly developing new scams to trap unwary businesses – like AI-generated deepfake audio. Building positive culture around scams helps keep employees current.
20. Make it personal – Show staff how to protect themselves in their personal lives as well as professional. For example, how to protect their home computer, keep kids safe online, check for viruses, use password managers etc. This helps correct behaviors become second nature.
21. #socialize – Create a memorable tagline to use in all your comms or as a hashtag on internal social networks. The tagline for the 2019 National Cybersecurity Awareness Month is OWN IT. SECURE IT. PROTECT IT.
22. Get staff talking – Establish a collaborative online forum that allows staff to submit cyber security tips. The IS Manager or one of their team should act as administrator to moderate comments and encourage participation.
23. Test understanding – Since you’re putting all this effort into informing and engaging employees, it’s equally essential to test if what you’re saying is being understood. After each training session or communication update, test employee understanding. For example, ask employees to rate a series of passwords in order of security level.
24. Call in the experts – Calling in the big guns is often a good tactic. Staff tend to sit up and take notice of someone new, especially when in a position of authority. Arrange for a local cyber security specialist to visit your workplace and deliver a presentation to staff.
25. Use humor – Cyber security is a serious subject but injecting some humor into it can increase employee interest, when appropriate. Search for relevant memes or customize them with a picture of your IS manager. These are certain to get attention, which provides an opportunity for slipping information in almost unnoticed.
26. Create a repository – There’s a lot of cyber security content about. If you want staff to read it, you need to make it easy for them. Summarize useful resources you recommend on your corporate intranet or similar platform. Let staff know when updates are made so they are encouraged to access it regularly.
27. Practice makes perfect – Use progressive email testing in simulated attacks. Start comparatively easily, progressing to content that’s increasingly difficult for staff to identify as malicious. Track levels of staff compliance with your security policies. This helps define your potential risk level. When staff are opening or interacting with specific messages, that’s your area of greatest risk.
28. Challenge beliefs – It’s common for staff to have a relaxed attitude toward cyber security – as though it’s something which won’t affect them. That’s a recipe for risk. Raising awareness and risk management are an important aspect of a security awareness campaign. Challenge notions of safety with the reality and repercussions of big breaches. You’ll find all the ammunition you need here and here.
29. Keep a record – Use message validation to collect a record of employees’ agreement with cyber security policies. This is done by including an ‘I accept’ button in messages, which employees need to click to confirm they have read and understood the message. For IS Managers, this is an important tick for compliance.
30. Recap what’s been learned – At the end of Cybersecurity Awareness Month, send employees an email recapping the information they’ve learned throughout the month. If you’re feeling generous, award prizes to those staff who performed well or who actively participated.
Cyber security in the workplace is everyone’s business. Take the opportunity of this year’s Cybersecurity Awareness Month to get every employee behind you – and banish the hackers.