October is quickly approaching which means for many businesses, it’s time to prepare for Cyber Security Awareness Month – a month recognized all over the world as an opportunity for to double-down on security awareness efforts. As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever. Like many, you may be wondering how to take your security awareness program virtual, in a way that keeps your employees engaged and educated.
Here’s how we evolved our security awareness program to ensure we’re reaching our LogMeIn employees now working from home.
Align with Corporate Goals and Objectives
Fully understanding the business motivators for your company and the goals of your security team is critical in building any security awareness program. By building your program around the organization’s goals, both long and short term, you are giving your leaders confidence and trust in your messaging and guidance when communicating to employees. Additionally, if you are aligned to their goals, and the goals of the organization, it becomes easy to get their support and participation. Security is everyone’s responsibility and requires all parties, including senior leaders, to be on board – it’s a joint effort.
Define Your Message
The National Cyber Security Alliance and the U.S. Cybersecurity and Infrastructure Agency (CISA) have offered this year’s key message: “If you connect it, protect it.” Because remote work has blurred the lines of our personal and work lives, giving employees the know-how to securely protect their devices is especially important this year. Be sure to solicit input from your Security, Risk and IT teams about desired behavior changes to weave into your campaign. Is your company seeing higher phishing click-rates or risky unvetted app downloads? Understanding the risk to your organization will help you come up with a meaningful message.
Communicate Through a Variety of Channels
Employees receive an average of 120 emails a day. With that many emails, you can imagine how easily your message could get lost in the noise. In parallel, people digest information differently with some preferring visual images and videos over reading lengthy emails. Be sure to leverage the variety of communication channels available to you. Examples include:
- Internal chat channels like Slack are great for sharing quick tips and/or snippets of information. Many of these tools offer engaging formats like GIFs, emojis, polling and survey options to grab your employees’ attention.
- Company intranet sites are useful to collect and store security training videos and other resources and information that employees can refer back to after Cyber Security Awareness Month.
- Host a webinar or All Hands Meeting using remote video conferencing tools, like GoToWebinar. It’s a great way to give your employees a chance to engage directly with security and IT experts and get their questions answered.
Helpful Tip: If you have a global employee base, be mindful to either record the session or offer it in different times zones. Also, make sure to check the attendee size limit of the tool in advance and set-up a pre-registration if needed.
- Customize desktop login screens with a fun graphic or “Security Tip of the Week”. Your IT team may have permissions to temporarily update employee screensavers and/or desktop screens and can also give you insight into other approved applications that may be useful in your messaging.
- Mail security swag to employees. Depending on the funds available to you, you can send employees small security related swag items, i.e. webcam covers. There are swag merchandising and direct distribution services that will send out items directly to employee’s home.
Get Your Employees Involved
Even though you may not be in an office setting right now, there are a variety of ways to get your employees engaged with your virtual security awareness campaign. By giving them opportunities to get involved, you will not only boost their learnings but also help drive a more collaborative security culture for your organization.
- Run contests either asking employees to caption a meme with their best security lingo, craft the most believable phishing email, or make an entertaining 30 second homemade security training video. You can determine winners through peer votes using internal chat channels – this will encourage others to participate too!
- Create an online scavenger hunt where employees can play ‘detective’ and use clues to find answers to the security-related topics you want them to learn more about. Virtual Cybersecurity Escape rooms are another immersive and team-building experience to engage with your workforce.
- Make family time fun by giving parents an activity to do with their children at home. There are lots of free activity kits available online to help teach children about online safety and security.
- Run a virtual Capture-the-Flag (CTF) to kick up the maturity of your security awareness program. Typically geared towards security and engineers/developers, CTF’s are a type of gamified learning where people can ethically play ‘hacker’ to improve their defense skills and improve writing secure code.
- Use an enterprise password manager to boost your organization’s overall password security and create friendly competition amongst employees. If you’re using LastPass, the admin dashboard provides a company-wide Security Score that measures the individual password strengths of employees in the org. You can create a fun and welcomed rivalry amongst individuals or teams by competing for the highest LastPass security score. You can read about how LogMeIn did this in an effort to increase LastPass adoption for 2019’s Cybersecurity Awareness Month here.
Security awareness can be a challenge to quantify, but not impossible. Solicit employee feedback for what they enjoyed or thought could be better, and work with your security team to identify metrics that show if the ‘human error’ risk to your organization is trending downwards (e.g. more security issues reported, fewer phishing emails clicked, stronger and longer passwords). All of this information can give you a better understanding of the success of your Cybersecurity Awareness Month efforts.
Creating and maintaining a security culture within a globally dispersed and diverse workforce is a constantly evolving mission. As your security program grows, don’t be afraid to test new methods of employee engagement, get creative with your ideas and have fun while putting it all together.