I recently attended a customer’s annual security awareness training employee event. I have attended a bunch of these over the years and I have loved them all. But this particular customer threw a great one! It included everything I think a security awareness training employee event should have.
Here is what I think makes a great employee security awareness training event:
-
Senior Management Support
This is a biggie. You want someone from senior management to show up and talk about how much they support IT security, security awareness training and employees. Everyone needs to see that senior management cares about keeping the company secure. At the recent event I attended, the CEO showed that he knew many of the IT security employees by name, and some on a friendly, personal basis. He thanked everyone for attending, thanked everyone for helping to make the company culture one that cared about IT security. He even went out of his way to say that calls from the IT security team were always a top priority and that he always took them right away. He looked to one of the IT security team members and asked, “Isn’t that right?”. And the employee quickly said yes. Nothing helps sell a computer security awareness program in an organization better than hearing and showing that senior management is invested in it, values it and cares. -
Share Stories of Success and Failure
Stories are how we learn and learn to remember almost everything. Nothing helps communicate IT security better than stories. Make sure different team members share their personal stories of social engineering and phishing attacks, and how they were able to fool some people and/or how they were recognized and stopped.
I think it is important to share stories where the involved individual was at first fooled. The best stories often include respected members of the organization, who share a real-world social engineering attack, and how they at first missed the signs, and then finally recognized, recovered and saved the company from worse consequences. It is good to show that we are all human and not always 100% perfect all the time. Even the best of us can be fooled by a social engineering attack. It also reminds employees to always be alert and not be embarrassed if you at first miss something. Make sure everyone understands that when in doubt to report any suspicious event. -
Variety of Team Members
Make sure the event has lots of different types of team members, from management, IT, IT security and front-line employees and team leaders. You want to communicate that everyone across the company is in this together. Try to involve good public speakers, although this is also a time to encourage shy, but beloved figures to improve their public speaking skills. Not everyone is a naturally great public speaker. Doing public presentations is how marginal public speakers with promise can become great public speakers. But most organizations are a type of family…work family…and a beloved figure supported by the community straining to do their best can often be a bonding moment. Just do not make it all terrible or boring speakers.
Note: The longer the speech or presentation, the better the speaker should be. -
Education
No security awareness training event is complete without actually providing education. Figure out a particular weakness across the organization and educate people while you have them on that subject. Teach them about different topics, both broad, exciting and new. In the most recent event I attended, they showed many different examples of email, SMS and voice-call social engineering, and spent a few minutes on the emerging threat of QR code phishing. It was a very nice mix-up of topics and interests.
Note: Make sure to spend the most time on the things that are currently the biggest threats and growing emerging threats and less time on super interesting, but less likely scenarios. Your job is not just to titillate. It is to educate to reduce current and future risk. If you need some ideas for topical topics, check out KnowBe4's Security Awareness Training blog. It is updated many times a day with the most current stories of the latest and biggest threats. -
Variety of Content
The best programs include a variety of content including videos, cartoons, short presentations, posters, quizzes and testimonials. Your security awareness training program should do the same. Variety. Humor. Education. KnowBe4 has the most, best and broadest content available. Use it in your program. I highly recommend using an episode of our The Inside Man series if you can.
-
Quizzes
Every event should include quizzes. I have seen good quizzes and bad quizzes. You want your quiz questions to work at reducing risk of current threats (e.g., phishing, password policy, desired behaviors, etc.). You want the questions to be a mix of medium-hard, medium and a few easy questions thrown in. They should be multiple choice and true and false questions. Make sure whoever writes the questions understands how to write good quiz questions, puts up good answers (you do not just want every question to have only one obvious right question), and make sure the answers are right. You would be amazed how many IT security quizzes I have seen with the wrong answers. When in doubt, pull your questions and quizzes from the many that KnowBe4 offers. -
Educate About How the SAT Program Works
This is a great time to remind everyone how the security awareness training program works, along with how the education is done, how often and how often simulated phishing exercises are conducted. I hope the answer to the frequency of both is at least once a month.
-
Fun
It is key that everyone finds the event fun. You want to encourage and reward people for attending. This is not a time to be completely serious. Have good food and drinks. Make the environment festive, with banners, posters and whatever else you can think of to indicate a fun and light event. Have tons of prizes and free gifts. Give out decent prizes for answering quiz questions correctly. In case of a conflict, hand out two prizes. Have more gifts and prizes on hand than you will think you will need. Have a big raffle with a nice prize to be given away at the end. This will encourage participation and people staying until the end. Maybe surprise participants by having three raffle prizes.
-
Local and Remote Attendance Support
In today’s world, many workers are remote workers. Offer both local and remote ways for employees to attend. Make sure you have tested your remote hosting solution to be able to allow remote participants a way to see, hear and participate in everything (e.g., speakers, presentations, quizzes, raffles, etc.). Have at least one person dedicated to hosting the remote community and have an AV person onsite before and during the event to handle any AV emergencies. The recent event I went to even had quiz questions and prizes that could only be answered and won by remote attendees, to make sure that the local attendees did not have an unfair advantage. It was team building. -
Not Too Long, Not Too Short
Your event should be right-sized timing-wise. What is too long or too short is up to you. I think 1-1.5 hour stand-alone events are a good, sweet spot for most organizations, but I have also seen large gatherings held in large convention halls where employees could wander into and out of that lasted all day.
-
Key Vendor Participation
This part is optional and up to you, but you may want to invite some of your key vendors to attend or participate. Vendors will often agree to sponsor the event (e.g., food, drink, prizes, etc.), speak and present. Ask the vendor representative if they want to participate, and if so, how. Ask them if they are the best person to speak to the group or if they would recommend someone else from inside their company. Oftentimes, they can bring engaging, exciting speakers who bring along good content and really entertain the audience while at the same time providing good education. Remind your vendors that this is not the time for a sales pitch.
-
Record It
Record as much of the event as you can to make it available to those who could not attend.
-
Project Manage It
Appoint someone to manage the event like the project it is. They can invite the people, communicate tasks and timelines, and make sure everyone understands what their role is and what they need to do. A good project manager is worth their weight in gold.
-
It Is Ok To Make Mistakes and Take Risks
I have yet to attend an event that was perfect where everything went off without a hitch. This is not rocket science and the organization will not come to a halt if everything is not done perfectly. Your goal is to educate and entertain. Overall, you want to help improve the company’s culture around understanding the importance of cybersecurity. If you have done that and employees had a decent time, then you have done your job.
So go out and make the best employee cybersecurity awareness education event that you can. You can create moments, smiles and education that last for a long time.