How should you communicate Security Awareness Training?
Today, employees are an important factor in information security and require appropriate training. But how do you communicate training measures and security awareness campaigns that could be critically evaluated at first glance because of employee privacy?
Modern technologies such as firewalls or virus programs are no longer sufficient to ward off attacks by cyber criminals. Aware employees are essential to secure a company. “Security awareness” means that employees know what risks are posed by phishing attacks, for example, how to recognize attacks and what they must do if something goes wrong. In the digital world of work, it is impossible to imagine a phishing protection without security awareness and sensitized employees.
If, however, the conveyed knowledge is not applied by the employees due to a wrongly chosen communication, even a security awareness campaign will not lead to the goal. Essential for a good security culture are enlightened employees who know and accept their responsibility for the security of the company. In order to have a lasting effect on the culture of a company, good and coherent communication is therefore required at different levels.
In a study by Trend Micro, 63 percent of the IT and security decision-makers surveyed in German companies named internal communication as the greatest challenge for cyber security in their companies. 43 percent of those surveyed reported problems in communicating complex issues to management. The study also shows that it often takes a sensational cyber attack to get the necessary attention for IT security: 69 percent of respondents experience that after incidents like WannaCry, communication becomes easier for them. This raises the question of how IT security managers and IT security officers can overcome these communication barriers before such attacks happen.
Internal communication is perceived as one of the biggest challenges of awareness campaigns
Part of the problem: The topic of security awareness is located in the IT department of many companies. 80 percent of awareness professionals have a technical background. Very few people who plan and supervise security awareness measures in companies have therefore learned the necessary skills in the areas of communication, marketing or psychology during their studies or outside of them.
7 tips for communicating a security awareness campaign
Many IT security managers are therefore developing these skills through learning-by-doing. With these 7 tips, you will strike the right note in your security awareness measures:
- Motivating employees through proper communication: Dealing with IT security is still a hassle for many. Therefore, make the information for your employees as exciting and descriptive as possible. When presenting the risks, draw on internal examples of risks or present the private benefits for employees. This helps employees to identify with it better. A humorous way is also often well received by employees. For example, a cartoon can be used to convey information in a simple, brief and entertaining way.
- Promoting a culture of trust: If employees do not report errors, it is difficult to discover them and avoid them in the future. Therefore, build up a good failure culture in your company through open communication. In particular, fear-inducing communication, threat scenarios or punishment of employees should be avoided at all costs. This requires a sure instinct.
- Bridging knowledge gaps and language barriers: The IT department speaks a different language than the employees in the other departments. Be aware of your knowledge lead. Therefore choose a target group-oriented, simple and understandable language so that your information can be understood by all employees, regardless of department or level of knowledge. For example, IT technical terms should be avoided unless the addressees have an IT background.
- No confusion due to conflicting information: The desired and communicated rules of conduct should be consistent by aligning them with existing internal guidelines.
- Involve managers: Executives must be brought on board and act as ambassadors to spread the word about the topic within the company. It will be very difficult to spread the topic of IT security against the resistance of the executives. This requires a corresponding commitment from the high levels. The managers can then carry the topic further into the teams as ambassadors and convey the importance of the topic to the employees.
- Consider cultural differences: Is your awareness training aimed at employees from different countries? To achieve the desired success, cultural differences should be taken into account when communicating with employees. In addition to manners and communication tools, risk perception can also differ depending on the cultural context.
- Use different channels: Different users have individual needs. It is therefore advisable to take a multimedia approach to communicating with employees, i.e., to incorporate different channels, both digital and physical. Digital communication is important, but the impact of face-to-face communication must not be underestimated.
In IT security, communications has the difficult task of making people from a wide variety of backgrounds aware of the risks and the right way to behave during cyberattacks. If you follow these tips, you will create a good basis.