Cyber-Awareness Is Vital

Clarification is also needed as to whether attendance events and webinars held as part of the programme could count as working time. That further boosts their popularity.

Become a brand

The content to be communicated always needs to observe the ancient wisdom for all communications: “The bait needs to taste good to the fish, not the fisherman”. In this instance, the fish is the staff, the bait is the information about awareness and the fisherman is the team responsible for the programme

Right from the start, programme managers need to be clear in their own minds that cyber-security is both an abstract and a complex subject. Hardly any employees will recognize why they are affected by the issue, without additional guidance. So anyone who launches into communications about it without prior warning or preparation within their organization will not achieve their objectives.

Part of that preparation is making the awareness programme into a brand. It merits having a memorable name, its own logo (which can be printed on items such as mouse-pads, webcam blockers, bags or USB security tokens), and an entry in the intranet navigation. Without this branding, it becomes harder for staff to immediately associate the respective content.

Getting to the content

On top of this, the degree of specialization in the respective communications measure needs to be matched to the target group: PC professionals and software developers merit a different treatment of the same issue compared to the presentation you might choose for employees in the Production department who only spend 30 minutes per week on the PC. So it may be necessary to prepare the same content – e.g. tips on password security or anti-phishing information – to differing degrees of specialization.

Instead of limiting yourself to one communications channel, employees need to be brought on-board from wherever they are found: on the intranet, in the canteen (information via digital info-screens), via their e-mail inbox (newsletters), during their leisure time (more on that below) or on the move (on-demand webinars). A mix of purely digital communication and live events, either virtually or as attendance events, livened up with the occasional competition, is the quickest route to achieving your objectives.

The follow-up on that tip of getting in touch with employees during their leisure time? Practically every employee has either a smartphone, a tablet or a PC/laptop at home – and when using these devices, they are exposed to precisely the same kinds of attack as they are when at work. So why not speak to them as private individuals, with specific communications measures? For example, by giving advice on shopping securely online during the lead-in to Christmas.

Irrespective of the chosen communicationsmix, one point should be observed in all cases: the information measures should not be episodic, selectively-occurring events. Rather, the communication needs to be reinforced to have an impact and avoid losses due to scatter. Ideally, an editorial schedule will be devised and the measures tackled on a quarterly basis.

Guaranteed ineffective measures

In addition to the tips given above, there is also a short list of things to avoid. These would include fearmongering and scare tactics. These arise if you flag up (big) issues without giving employees any assistance on how they can circumnavigate the respective issue (phishing waves, malware campaigns, transfer fraud, etc.). Even phishing training can make users feel insecure, and is therefore to be used advisedly

One way to waste time, money and attention is generic, pre-made webinar content, such as a number of (US) service providers are offering. Licensing it may seem an easy option. But since the content practically never matches up with the requirements of the respectiveorganization, it fails to achieve its objective.