You’ve probably heard by now that October is National Cyber Security Awareness Month (NCSAM). We’re supposed to take special care to educate users about enterprise security and what the corporate policies and procedures are — except that seems to be what we try to do every month with a constant stream of training, webinars and 90-day rotations of passwords. (Password rotation may not really be training, but it seems to be what most users actually remember from the training.) So this month, it might be worth trying something a little different and giving employees security lessons they can take home instead.

NCSAM started in 2004, and the message of “Stop. Think. Connect.” has been going strong since 2010. The organization isn’t trying to tell end users how to make their corporation secure; it’s telling them how to be secure at home. It’s a good choice because most users think making the workplace secure is someone else’s responsibility.

How often have you heard a user say they opened a file or email because they thought it was the security team’s responsibility to make sure no viruses got in? Even though we’re trying to help them with training, the fact that it’s work related often impedes the delivery simply because it’s viewed as just another necessary initiative, much like the harassment or workplace safety videos we have to watch once or twice a year.

Security Awareness Should Start at Home

Rather than giving users training that concentrates on the workplace and their corporate responsibilities, turn the training around and focus on how users can secure themselves at home. In almost every case, the basic steps that are necessary to stay secure in the workplace are exactly the same as at home. By giving them the tools but in a new context, you’re still enforcing the same habits, but the reinforcement of using the same thought patterns in both locations will greatly increase the chances of them becoming long-term habits.

One of the biggest hurdles to security training is making it something that users want to have. If a user doesn’t want to learn, the training is not going to have an impact no matter how important it is. Rather than forcing users to sit through several hours of classes that boil down to explaining a few policies, look at having a one-page site that shows users what they’re responsible for and provides links to the relevant policies. If they are actually curious, they’ll look at the documents; if not, you’ve saved your time and theirs on a pointless exercise that would have frustrated all involved.

Make Training Sessions Engaging

Instead of concentrating on the mandatory training, offer instruction that users will want to attend. Draw inspiration from the Internet of Things (IoT), for example. You could form a training session focusing on how to secure phones and connected devices for the home. Apply the same ideas and tools you’d use for securing your corporate environment, but shape the lessons around how your audience could ensure that new Internet-connected refrigerator is secure and won’t be used as a spambot someday.

More than ever, security is in the headlines, so offer a brown-bag meeting once or twice a month to help your users understand some of the complexities of the technology. Target the relevant systems they want to use. They’ll learn more from a training they come to because they want to learn than they ever will from what you force them to attend.

The one thing security training shares with almost every other type of training is that it’s generally boring. We have facts and figures we have to communicate and policies that need to be explained. These things are typically dry, and no one even wants to be presenting them, let alone listening. So concentrate on making the experience as entertaining as possible. Come up with amusing anecdotes about why such policies are in place, how they could be implemented or the ways in which a policy might reflect in the end user’s personal life.

If you’ve been in security for any length of time, you likely have amusing stories about things that have gone wrong, so share them. Or cheat and go read some of the tales online. There’s more than enough interesting stories to keep your audience amused.

Security Made Easy

Let’s go back to passwords, which have long been among the biggest headaches for both users and support teams. We used to tell users not to write down passwords, but we all have so many and they’re all so complex that it leads users to either write them down or reuse the same few passwords over and over again. Do something to make this problem a little easier on your audience.

Instead of fighting this tendency, give your users a password manager, such as 1Password or KeePass. Given the amount of money we already spend on new software, buying licenses for a password manager is barely a noticeable increase, and in all likelihood, the cost will be recouped in a reduced number of password reset calls to the help desk. If you take it a step further and let employees have a copy for their mobile devices, you’ll increase the chances they’re going to use it to create strong passwords on multiple devices — and you have one more carrot for getting them to the training.

We need to have training; there’s no escaping that fact. But think about making the mandatory training minimal, and instead concentrate on programs that offer your users something they want: something they want to learn, something they want to have or even something they want to see.

We have to be honest and admit that training about policies such as the minimum password length and complexity is both boring and forgettable for the vast majority of people. So get it over with quickly, but make it so that your users know where to get more information if they’re interested. Give them the same tools to use at home that you hope they’ll use at work. Encourage them to come to you to learn how to keep themselves safe, and they’ll have the security awareness to keep your enterprise secure.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…