You’ve probably heard by now that October is National Cyber Security Awareness Month (NCSAM). We’re supposed to take special care to educate users about enterprise security and what the corporate policies and procedures are — except that seems to be what we try to do every month with a constant stream of training, webinars and 90-day rotations of passwords. (Password rotation may not really be training, but it seems to be what most users actually remember from the training.) So this month, it might be worth trying something a little different and giving employees security lessons they can take home instead.
NCSAM started in 2004, and the message of “Stop. Think. Connect.” has been going strong since 2010. The organization isn’t trying to tell end users how to make their corporation secure; it’s telling them how to be secure at home. It’s a good choice because most users think making the workplace secure is someone else’s responsibility.
How often have you heard a user say they opened a file or email because they thought it was the security team’s responsibility to make sure no viruses got in? Even though we’re trying to help them with training, the fact that it’s work related often impedes the delivery simply because it’s viewed as just another necessary initiative, much like the harassment or workplace safety videos we have to watch once or twice a year.
Security Awareness Should Start at Home
Rather than giving users training that concentrates on the workplace and their corporate responsibilities, turn the training around and focus on how users can secure themselves at home. In almost every case, the basic steps that are necessary to stay secure in the workplace are exactly the same as at home. By giving them the tools but in a new context, you’re still enforcing the same habits, but the reinforcement of using the same thought patterns in both locations will greatly increase the chances of them becoming long-term habits.
One of the biggest hurdles to security training is making it something that users want to have. If a user doesn’t want to learn, the training is not going to have an impact no matter how important it is. Rather than forcing users to sit through several hours of classes that boil down to explaining a few policies, look at having a one-page site that shows users what they’re responsible for and provides links to the relevant policies. If they are actually curious, they’ll look at the documents; if not, you’ve saved your time and theirs on a pointless exercise that would have frustrated all involved.
Make Training Sessions Engaging
Instead of concentrating on the mandatory training, offer instruction that users will want to attend. Draw inspiration from the Internet of Things (IoT), for example. You could form a training session focusing on how to secure phones and connected devices for the home. Apply the same ideas and tools you’d use for securing your corporate environment, but shape the lessons around how your audience could ensure that new Internet-connected refrigerator is secure and won’t be used as a spambot someday.
More than ever, security is in the headlines, so offer a brown-bag meeting once or twice a month to help your users understand some of the complexities of the technology. Target the relevant systems they want to use. They’ll learn more from a training they come to because they want to learn than they ever will from what you force them to attend.
The one thing security training shares with almost every other type of training is that it’s generally boring. We have facts and figures we have to communicate and policies that need to be explained. These things are typically dry, and no one even wants to be presenting them, let alone listening. So concentrate on making the experience as entertaining as possible. Come up with amusing anecdotes about why such policies are in place, how they could be implemented or the ways in which a policy might reflect in the end user’s personal life.
If you’ve been in security for any length of time, you likely have amusing stories about things that have gone wrong, so share them. Or cheat and go read some of the tales online. There’s more than enough interesting stories to keep your audience amused.
Security Made Easy
Let’s go back to passwords, which have long been among the biggest headaches for both users and support teams. We used to tell users not to write down passwords, but we all have so many and they’re all so complex that it leads users to either write them down or reuse the same few passwords over and over again. Do something to make this problem a little easier on your audience.
Instead of fighting this tendency, give your users a password manager, such as 1Password or KeePass. Given the amount of money we already spend on new software, buying licenses for a password manager is barely a noticeable increase, and in all likelihood, the cost will be recouped in a reduced number of password reset calls to the help desk. If you take it a step further and let employees have a copy for their mobile devices, you’ll increase the chances they’re going to use it to create strong passwords on multiple devices — and you have one more carrot for getting them to the training.
We need to have training; there’s no escaping that fact. But think about making the mandatory training minimal, and instead concentrate on programs that offer your users something they want: something they want to learn, something they want to have or even something they want to see.
We have to be honest and admit that training about policies such as the minimum password length and complexity is both boring and forgettable for the vast majority of people. So get it over with quickly, but make it so that your users know where to get more information if they’re interested. Give them the same tools to use at home that you hope they’ll use at work. Encourage them to come to you to learn how to keep themselves safe, and they’ll have the security awareness to keep your enterprise secure.
Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai's Security Intelligence Team, he is responsible for...