Blog: How Tos

Cyber Security Month. What can you do?

Tony Gee 08 Oct 2020

October is Cyber Security Month, when organisations like the CISA, the ECSM, and many more promote initiatives to help raise security awareness. Around the world companies are dedicating time to improve staff security awareness, and it’s a really busy time for us.

You may be thinking you’d like to do something but are stuck with ideas to run. Below I have listed a few ideas that I have seen to work really well at engaging staff and helping change culture.

Posters

Posters are an old stalwart. They can be  successful but need to be kept fresh and be eye catching. The message needs to be simple, the visuals strong and amusing. Key messages could be:

  • Use a password manager
  • What’s on that USB you plugged in?
  • Oversharing on Social Media again?
  • Turn on Two-Factor Authentication
  • Lock your workstation
  • Think before you click

You could also include some key policy messages here, but don’t overdo it. Remember, it needs to be interesting. Telling your staff on a poster why you use AES-256 encryption is dull!

Engage with your marketing teams or external designers to help you out too. Not only can they make the designs look good, but they can keep the wording appropriate to the whole company. Put posters everywhere, in lifts, on doors, in toilets, in staff rooms- anywhere staff will see them. You could even use digital signposts or screens for these messages.

Security tip of the week/month

This is a great way of keeping the message current. Each week or month send out a different tip. There are many ways to do this- email, Teams/Slack, posters, banners on intranet pages, whatever works best your organisation.

The tips could be as simple as how to use a password manager or how two factor authentication can work. I would talk about personal and home security issues as well as work ones. This will help endear your staff to your messages. If you share home security advice they are more likely to do it as they can see the value to them personally.

Security branded ‘stuff’

Another way to help keep security messaging in people’s thoughts is to give away nice branded items,

Some things I have found work well, branded paper cups use in your onsite café, you can get 1000’s for less than £50. USB blockers, a great way to tie in to USB security. Fidget cubes, the modern day ‘stress ball’. Socks. We give our own socks away, they are a fun way of getting interaction. I’d avoid tacky mouse mats, pens and dull stuff you wouldn’t even bother picking up at a conference or trade event.

There are so many innovative gifts these days, from facemasks to water bottles, to notepads and card blockers. Almost anything can be branded with your key messages.

Security stall with games

Set up a virtual stand, be that in a channel on Teams or Slack, and allow people to ask  you any questions. You could also tie in to your branded items by rewarding those who ask questions or perhaps those who send you an example of a phishing email.

Anyone who sends you a phishing email gets something, you’ll have loads in a few days and staff will be on the lookout for more. You could even do something like a loyalty scheme with gifts- after the 6th phishing email they win a free coffee for example.

Security champion program

A security champion is someone who works in key departments and is your security eyes and ears. It can be as simple as them just helping field questions or as high a level as having local password reset ability. It is a great way of empowering departments to provide localised help and take the weight off you. These people could be rewarded with dinners or tech.

You could take this further and set up full virtual security champion teams. When lockdown restrictions are eased and lifted you could provide an away day, complete with lunch to brainstorm ideas for the next Cyber Security Month. I’ve spoken as an external speaker at a number of days like these, giving a different perspective and providing some external view of the risk.

Security stats

You could send regular security stats out each week or month. This is not an opportunity for you to blow your own trumpet about how amazing the security tools you put in are, it’s to focus on the things that end users alerted you to. “We had 27 phishing emails alerted to us this month, everyone got a pair of socks, two people got their coffee free for a week” etc.

You could also talk about any breaches you may have had. Do not name names though. Focus on how you found the breaches and how the response was carried out. This is a great way to provide insight in to what you do and give relevance to your budget spends.

CEO announcement

Like all good things, getting senior staff buy-in is key to any successful security awareness program. Get your CEO to email the whole company. This may take a little persuasion and possibly a little upward management and of course time so plan early.

Phishing

It is so important to educate then test your staff, this can give some basic metrics. However, do not see these metrics as a way of demonstrating the value of your program.

Phishing stats are a fickle thing, one month you could have really positive results and the next really poor. Does that mean that your program has failed? Not always. Sometimes your phishes hit their mark, it’s just an opportunity to keep that message going and keep training.

It is excellent practice to vary your phishing style and targets each month. This can help you identify trends and individuals who may need more help and training.

Securing home computers/devices or family

Providing help and guidance on how to secure home devices and computers is a great way to engage your staff. Your security champions can help here as can your security stall. You can also provide downloadable tips and tricks people can take home to secure their own home network.

You need to be mindful that many staff won’t be technical so keep it simple. Showing how to set up parental controls or how to securely configure social media for example can be useful as there are many options.

Security focused lunch-and-learn talks

At PTP we have a lunch-and-learn every Friday- PTP TeaSides. The content is diverse- previews of conference talks, blacksmithing,  origami, home brew beer and mead, first aid for children. You could set up your own lunch and learn sessions focused on security, perhaps once a month talk about how to do certain things.

Your home security guidance could be one of the topics, you could also show how to use the email security tools you have in place or do a talk on phishing. There is so much choice and this will really help engage. If you find people struggle to attend, a common tactic is to provide lunch, now with home working that won’t work, but when staff are in the office providing a few sandwiches while you talk about security will surely get an audience.

Overall I have found the best engagement messages are the ones that focus less on what you can and cannot do at work, but more on how staff can help fix things themselves, this helps change culture.

A successful campaign is about moving from it being a security awareness campaign to it being a security culture change. When you staff have a culture of security awareness they are much more switched on to the risks you are trying to prevent and much more likely to spot something that is not right and champion security through the business.

This takes time and effort, the things you do in Cyber Security Month you need to be doing all year long. Much like patching your servers, you don’t do that that once a year, you do it constantly. A security culture is the same, you have to keep the message going throughout the year.

Good luck and if we can help you kick your program off reach out and we will happily help.