By Joanna Huisman, KnowBe4's new SVP Strategic Insights & Research. I have a big birthday coming up, and as you can probably guess, I’m less than thrilled about it. I tell myself it’s one day out of the whole year and after it passes, I don’t have to think about it again for another year. Security awareness is not like a birthday.
Although we pause during the month of October to reflect on the importance of being more security aware and remind our employees of their role and responsibility in protecting and defending the organization, we need to be vigilant every month and day throughout the entire year.
Organizations often hold elaborate events during the month of October, saturating employees with messaging, contests, games, and giveaways -- all in the name of getting the employees attention, buy-in and commitment. One organization I worked with spent upwards of $500K to send small individual boxes of tchotchkes and posters to all global employees. I asked how they were measuring the awareness effectiveness or behavioral change that would result from such a large-scale initiative. The answer…they weren’t.
If you’re doing something for the sake of doing it, you might as well not do it at all. I can guarantee that most of those boxes were disassembled and discarded as soon as employees realized that they couldn’t write more than 4 words on the 1x1 post it notes and that the phone stands just drew more unwanted attention to their unsupervised phone.
Don’t get me wrong, you should definitely support and celebrate security awareness in October, but you should give as much attention to it every single month. I will take it one step further and encourage you to talk about how your culture is becoming more security aware as a result of the ownership your employees are taking in the fight against cyber criminals. As my esteemed colleague Perry Carpenter notes in his book Transformational Security Awareness… “Just because I am aware, doesn’t mean that I care.” I liken it to my teenage son’s interest in showering, he is aware that at times he smells, but he just doesn’t care.
So, the question becomes, how do you get your employees to step-up their individual ownership? Well, first as an organization, you need to invest in it. Do you have the right tools and program in place? KnowBe4 is the world’s largest security awareness training and simulated phishing platform to help you manage the ongoing problem of social engineering.
As a client, your KnowBe4 subscription gives you access to the world’s largest security awareness training library with always-fresh content, via the unique ModStore. If you have yet to realize all the benefits of partnering with KnowBe4, stop whatever you are doing now and take a look. This Security Awareness Month, KnowBe4 is offering all organizations free resource kits containing exceptional free training, a sample training plan, infographics, videos, and more. Perfect time to take a look and try something that is proven to work.
Employee ownership starts when your users feel connected to how their individual contributions will impact the end goal and how it will personally benefit them. Start by linking employee engagement in goal/objective setting to driving a more security aware culture. Get in writing how their contributions and commitments to be more security aware impacts their performance and the overall resilience and viability of the organization.
Create communities of ‘culture carriers’ where employees have the opportunity to evangelize and participate more closely in operationalizing the program. Such programs give you greater reach into the organization and allow those with local influence to leverage their position and voice. Bottom line: get your people involved!
Consider reward and recognition programs to highlight individual contributions. Employees will not only be motivated by the actual reward, it’s human nature to want to be recognized for doing something well, and that will become contagious throughout the ranks.
So, make it a great October bringing attention to security awareness during National Cybersecurity Awareness Month, but remember, do it again in November, December, January, etc…