You’ve probably heard by now that October is National Cyber Security Awareness Month (NCSAM). We’re supposed to take special care to educate users about enterprise security and what the corporate policies and procedures are — except that seems to be what we try to do every month with a constant stream of training, webinars and 90-day rotations of passwords. (Password rotation may not really be training, but it seems to be what most users actually remember from the training.) So this month, it might be worth trying something a little different and giving employees security lessons they can take home instead.

NCSAM started in 2004, and the message of “Stop. Think. Connect.” has been going strong since 2010. The organization isn’t trying to tell end users how to make their corporation secure; it’s telling them how to be secure at home. It’s a good choice because most users think making the workplace secure is someone else’s responsibility.

How often have you heard a user say they opened a file or email because they thought it was the security team’s responsibility to make sure no viruses got in? Even though we’re trying to help them with training, the fact that it’s work related often impedes the delivery simply because it’s viewed as just another necessary initiative, much like the harassment or workplace safety videos we have to watch once or twice a year.

Security Awareness Should Start at Home

Rather than giving users training that concentrates on the workplace and their corporate responsibilities, turn the training around and focus on how users can secure themselves at home. In almost every case, the basic steps that are necessary to stay secure in the workplace are exactly the same as at home. By giving them the tools but in a new context, you’re still enforcing the same habits, but the reinforcement of using the same thought patterns in both locations will greatly increase the chances of them becoming long-term habits.

One of the biggest hurdles to security training is making it something that users want to have. If a user doesn’t want to learn, the training is not going to have an impact no matter how important it is. Rather than forcing users to sit through several hours of classes that boil down to explaining a few policies, look at having a one-page site that shows users what they’re responsible for and provides links to the relevant policies. If they are actually curious, they’ll look at the documents; if not, you’ve saved your time and theirs on a pointless exercise that would have frustrated all involved.

Make Training Sessions Engaging

Instead of concentrating on the mandatory training, offer instruction that users will want to attend. Draw inspiration from the Internet of Things (IoT), for example. You could form a training session focusing on how to secure phones and connected devices for the home. Apply the same ideas and tools you’d use for securing your corporate environment, but shape the lessons around how your audience could ensure that new Internet-connected refrigerator is secure and won’t be used as a spambot someday.

More than ever, security is in the headlines, so offer a brown-bag meeting once or twice a month to help your users understand some of the complexities of the technology. Target the relevant systems they want to use. They’ll learn more from a training they come to because they want to learn than they ever will from what you force them to attend.

The one thing security training shares with almost every other type of training is that it’s generally boring. We have facts and figures we have to communicate and policies that need to be explained. These things are typically dry, and no one even wants to be presenting them, let alone listening. So concentrate on making the experience as entertaining as possible. Come up with amusing anecdotes about why such policies are in place, how they could be implemented or the ways in which a policy might reflect in the end user’s personal life.

If you’ve been in security for any length of time, you likely have amusing stories about things that have gone wrong, so share them. Or cheat and go read some of the tales online. There’s more than enough interesting stories to keep your audience amused.

Security Made Easy

Let’s go back to passwords, which have long been among the biggest headaches for both users and support teams. We used to tell users not to write down passwords, but we all have so many and they’re all so complex that it leads users to either write them down or reuse the same few passwords over and over again. Do something to make this problem a little easier on your audience.

Instead of fighting this tendency, give your users a password manager, such as 1Password or KeePass. Given the amount of money we already spend on new software, buying licenses for a password manager is barely a noticeable increase, and in all likelihood, the cost will be recouped in a reduced number of password reset calls to the help desk. If you take it a step further and let employees have a copy for their mobile devices, you’ll increase the chances they’re going to use it to create strong passwords on multiple devices — and you have one more carrot for getting them to the training.

We need to have training; there’s no escaping that fact. But think about making the mandatory training minimal, and instead concentrate on programs that offer your users something they want: something they want to learn, something they want to have or even something they want to see.

We have to be honest and admit that training about policies such as the minimum password length and complexity is both boring and forgettable for the vast majority of people. So get it over with quickly, but make it so that your users know where to get more information if they’re interested. Give them the same tools to use at home that you hope they’ll use at work. Encourage them to come to you to learn how to keep themselves safe, and they’ll have the security awareness to keep your enterprise secure.

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read