It might seem early to be talking about Security Awareness Month, but what I’ve realized from my many years of experience in security awareness training is that you can never plan too far ahead. Last year we hosted a live panel on Security Awareness Month almost four months in advance and found that a lot of companies start their CSAM planning in June.
Security Awareness Month is the perfect time to raise awareness of the risks of cyber security and light a spark to keep the fire going for the year ahead. So, we decided to host another early-planning panel so everyone can be prepared to have a successful October:
This time around we had the following guests:
Michelle L. (ML) – Michelle is the Cyber Security Awareness Lead at Channel 4 in the UK. Channel 4 is a publicly-owned and commercially-funded UK public service broadcaster.
Fletus Poston (FP) – A security champion, Fletus is a Senior Manager of Security Operations at CrashPlan®. CrashPlan® provides peace of mind through secure, scalable, straightforward endpoint data backup for any organization.
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people.
And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on Cyber Security Awareness Month:
Don’t have time to watch the whole panel? Get exactly what you need with these security bites:
FP: It generally doesn’t achieve much because most organizations do it poorly. They try to slam content in a four week span. They try to monopolize your portals, they monopolize your inbox, there’s no value added.
Then, most organizations use October as their awareness program for the rest of the year, so they fail to capitalize on the gains from your annual training, from your awareness programs, from hot topics. They fail to incorporate the incidents that your SOC is working or your engineering team is blocking. In order to have an impact, you have to do it right.
RH: Where I think it would have the most value is in smaller businesses. In a newer start-up it’d be great, because it’d be like an introduction, it would get released and it’d be in everyone’s face. In smaller start-ups, resources can be spread quite thin and cyber security might normally get missed in their everyday lives. So, it’s good to have one month dedicated to reaching those people who usually have their blinders on.
So, I think it serves a great purpose, as a primer to your whole security awareness program.
SW: To me, having an awareness month is more focused around making sure people know that there is a problem and using that as a bit of a kickstart for going forward for the rest of the year.
SW: One of the best ideas was having a regular program that has different themes every month and then you can pull those things together during October. In October you review things and make it a highlight session, going over the stuff that you covered last year and how the progress rate is going.
ML: One session that I do that everyone loves is on online sharing. So, I host a session and share a bunch of information I was able to find and how I found it, without being too scary. People loved that.
Then we also do one bigger thing, so we do a mini conference, but you could also do a podcast or something like that. And something to note is that not everything has to be in-house, you can host out-of-house people too.
FP: One of the simplest things I’ve done is background graphics for meetings. So, then every time I’m talking you are reminded about whatever you want the lesson to be for Cyber Security Awareness Month. You can also do this with screensavers.
ML: I think they should be quite simple. For example, we had this event and this many people attended when they didn’t before or we launched these champions or we made this team. And these numbers might look small, especially if people can use the resources later, but they can have a big impact.
FP: Coming from my day job in security operations, I would say my KPIs would be trying to tie reduced response time or number of incidents back. The more things people know to report and how to report it, the quicker my response and fix time should be. Then at that point you can even calculate the amount of dollars you save the organization by having a quicker response time.
Then also the champions, as Michelle said. So, you can show that you went from 1-5 or 10-20 and then show what they are doing in their part of the organization to prove that you now have more boots down on the ground spreading awareness.
RH: Outside the numbers I would say people would be my measure of success. I’d measure this through interviews, talking to people, literally just talking to them, not poles, just getting out in front of our people and hearing what they have to say. You might learn a lot about your people, whether it’s security related or not. Then as you go throughout the year you can continue to have these interviews with people and hopefully things will look a little different.
SW: In general it’s probably best to start talking with the CISO or the head of HR, then if you get approval from them, you can start your planning. What will it look like? What are the costs? Who needs to be involved?
Budget is very important for planning ahead. It’s a great idea to get the budget done during the annual process or pitch it before everyone leaves for summer vacations. The same goes for communications, including graphics or videos. These things can take a long time, so you’ll want to reach out soon.
RH: Planning ahead with any other teams involved. So, submitting any tickets for marketing needs or any other support you’ll need so then when October comes, it can all come out at once.
In the live panel we also listed some great resources for CSAM: NIST (US), National Cybersecurity Alliance (US), CISA (USA), and Government of Canada (Canada).
RH: Security champions and executive buy-in are a great way to carry momentum. Then, it can be culture, culture, culture, all the way from the top down. That culture can bring you a long way.
Then, I think its up to the cyber security awareness community to carry the rest of the weight. So, continue having panels, discussions, and interviews throughout the whole year.
FP: Bite-size chunks. You don’t need to do it all, but every month doing a little bit more and a little bit more will eventually expand in too a lot. So, start with checking off those compliance boxes, but then add buy-ins, champions, comms.
–
Although it’s still 3 months away, in order to have a successful Security Awareness Month you’ll want to start planning as soon as possible. Start by gaining approval from your leaders, then create a strategy that aligns with the culture and questions of your employees. For all our advice, watch the full session here.
Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.
Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.