Week 4: October 23-27
The theme for week 4 of National Cyber Security Awareness Month is creating security champions. Geared towards the cyber security field as a whole, the efforts this month are intended to encourage people to pursue a career in the cyber security field, and to provide helpful resources for learning more.
Earlier this month, Lisa Plaggemier, Director of Security Culture and Client Advocacy at CDK Global, discussed ways to transform dry, security-based messaging into an engaging story that leads to changed behavior. In “How to Change People in Four Easy Steps,” Lisa states:
“Change is not easy. Influencing people’s behavior is hard work and often an elusive goal. The old model – putting up security awareness posters in break rooms or making people read policies every year and assuming knowledge will translate to behavior – is broken.”
At Everlaw, we prioritize giving everyone on the team the knowledge and tools they need to be a security champion.
Read on to learn how Everlaw follows the steps Lisa recommended to change behavior:
Step One: Attention!
If you don’t get people’s attention, you have no chance to influence behavior. I’ve found a lot of people working in security awareness suffer from “security narcissism.” We’re all fascinated by security; we find it innately interesting. But not everyone is fascinated by security. Think about your audience and their goals, needs and priorities, and align with them.
When new team members join Everlaw, their first priority is to learn about our security policies and procedures. In order to keep their attention, we tailor the onboarding security training to their role. This helps them focus on how their specific role can help us achieve our security objectives.
Step Two: Be Interesting—Everywhere and All the Time
To create security content that’s interesting, you have to understand your audience. Get inside the heads of your employees. Understand what makes them tick. We’re not selling a message that solves people’s current pains. Instead, we’re selling the prevention of potential pain of an intangible thing – being hacked or breached. You’re not going to fix that with a break room poster.
This year as part of our annual team information security training session, Everlaw is bringing in a social engineering (SE) expert from Social Proof Security to teach us about SE risks and how to prevent hacking. With major law firms in the news as victims of SE attacks, we want to be proactive about understanding the risks, and who better to teach the team than a winner of the DEF CON Social Engineering competition!
Step Three: Don’t be Dense (Information Dense)
Less is more, but more is better. Keep your messaging short and concise and your copy targeted and clear. If you sent an email with a training assignment but you’re frustrated that people didn’t take the training, don’t blame your users–look in the mirror. What other channels and tactics could you use to communicate? How did you make people want to take the training?
I am a big believer in avoiding “FUD” (fear, uncertainty, and doubt) when it comes to security training and awareness. Security and compliance training at Everlaw is mandatory. We hold our team to high standards and expect them to meet or exceed them. But that doesn’t mean that it has to be dense and create fear and dread amongst the team. We use plain language in training materials to communicate important messages, and incentives like team ice cream parties and other prizes to drive interest.
Step Four: Lose Control of Your Message
Content going viral means you’ve lost control of it – in a good way. You want employees–not just the “security people”–to spread security. Create content that drives sharing and you can spend your time creating the next great security campaign.
For security and compliance professionals, losing control is a scary thought! But if you want to be successful in creating a culture of security, the messages and importance of certain actions must permeate the organization on all levels. Creating an environment where the team is comfortable sharing security messages in their own way (memes, gifs, etc.) is losing control in an effective way.
Thanks for celebrating NCSAM with Everlaw!
Come back next week for our Week 5 and final NCSAM update.