Make your awareness campaign engaging, at the level of the person you are targeting and make it last long enough to succeed.
Speaking at RSA Conference in San Francisco, CISO Thom Langford said that awareness campaigns need to be about more than just putting up some posters as that will not stop people from doing the wrong things. He said: “It is a habit to get through, so why are looking at this in a short term basis?
“We are not black and white and need to use all of the colours to put awareness campaigns together and what we are doing is pulling together different technologies and throwing spaghetti to the wall and hoping it sticks. It is the same thing over and over again without the results we want, and we do it for a few months and expect a different outcome. We are trying to change behaviours and try to change lives in a few months, but it takes generations to change.”
Langford also said that users are treated as though they are stupid if they do something wrong, and instead we should treat them like heroes and guests, as they are people that we value. “But we see them as an inconvenience who get in the way, and we put up posters,” he said. “But really they are bored as we do the same thing time after time and it has to change, it has changed in marketing and needs to change for us.”
Langford said that what is needed and what has worked in his company is an awareness programme that surprises people, uses humour and gets people familiar with the security team and has an offline message.
“We found people engaged with the cutouts we placed in the office and decorated them, but it didn’t matter to us, as we knew they were engaging with the campaign,” he said. The results, based on statistics from three months were that incidents were down by two thirds, laptop losses down by a third, formal requests up by a quarter, and water cooler conversations are through the roof. He said: “We intend to run it for two years as a long term awareness program.”
He encouraged three takeaways on awareness: think about the programme and are you providing a story that goes with it and what do you want to do to engage from a visceral perspective; make sure it works for organisation; and punctuate and to plan forward activities and keep people engaged.
