Common Mistakes in Delivering Cyber Security Awareness Campaigns

December 9, 2019 5:15 pm Geraldine Strawbridge Common mistakes in delivering a cybersecurity awareness campaign

Mistakes happen, it’s inevitable. But the reality is that when it comes to your Cyber Security Awareness Campaign, any mistake, no matter how small, can have a hugely detrimental effect on the security of your organisation.

The results of these seemingly innocent mistakes are continually played out in the press with daily reports of data breaches, cyber attacks and crippling fines imposed for negligent Cyber Security practices.

We live in a different era now, an era that demands a better approach to Cyber Security. Your Cyber Security awareness campaign can’t just be a lacklustre attempt to simply tick a box. It needs to mitigate risk, provide a real defence against cyber threats and educate staff on the importance of their role in safeguarding sensitive company data.

It can be difficult to know where to start or what areas present the highest risk but by acknowledging the most common security awareness mistakes, you can start to develop a robust Cyber Security awareness campaign that defends against evolving cyber threats and effectively complies with regulatory frameworks.

Some of the most common security awareness mistakes include:

1.A Blasé Approach to Cyber Security

Many organisations pay lip service to Cyber Security but fail to take the threat seriously enough. They may believe that they’re too small to be attacked or that money could be invested in other areas where there’s a more immediate return on investment. These are dangerous assumptions to make.

According to the Verizon 2019 Data Breach Investigations Report (DBIR), 43% of all cyber-attacks now target small businesses. The reality is that cybercriminals are increasingly going after smaller and mid-size organisations as they typically have less money and resources to invest in Cyber Security. It may be the big brands that hit the headlines, but every organisation is a target and needs the appropriate Cyber Security measures in place to defend against attack.

Human error remains the root cause of all Cyber Security breaches so it’s vital your organisation implements an effective Cyber Security awareness campaign that educates staff on how to identify and respond appropriately to evolving threats.

2. No Clear Objectives

If your security awareness campaign is to succeed, you must have clearly defined objectives that outline what you hope to achieve. Your objectives should identify and address the problems that your organisation is currently facing. This could be phishing attacks, remote working, password security, regulatory issues or physical security. Cybercriminals are continually looking for areas to exploit so unless your security awareness campaign properly identifies all the areas of risk, your organisation is vulnerable to attack.

The next step is to identify your target audience. Different staff in your organisation face different threats so rather than sending out the same generic content to everyone, your employees should receive targeted training that is relevant to their role. By conducting a detailed risk assessment, your organisation will be in a much better position to create a security awareness campaign with clear objectives that can be properly measured and evaluated at a later date.

3. Boring Content

Your Cyber Security awareness campaign is doomed if you keep bombarding your staff with the same old bland and repetitive content. Cyber Security is a dry enough topic as is without compounding it with long PowerPoint presentations and monotonous slide decks that play no role in conveying the very real threat that cybercriminals pose to your business. And make no mistake about it, these threats are real. Regardless of size, sector or location, every organisation is vulnerable and will be actively targeted by cybercriminals.

The key to mitigating this risk and creating a more cyber secure workforce is through the use of engaging and relevant content. Storytelling is a very effective way to help reinforce your Cyber Security messaging. According to Stanford University research, stories are up to 22 times more memorable than facts alone. If you can make Cyber Security relatable, your employees are more likely to retain the information, therefore improving the overall security posture of your organisation.

It’s also important to use a variety of different methods and formats to keep your audience engaged. Live-action videos, animation, quizzes, policies, blogs and awareness posters can all be combined to create a comprehensive security program that positively impacts employee behaviour.

4. Infrequent Training

In years gone by, organisations would roll out an annual Cyber Security course and hope that it would be enough to keep their staff up to date with the latest threats. However, times have changed. Cyber threats are evolving all the time so unless your staff are receiving regular training, they will not be able to recognise the sophisticated threats that are being used to target them.

Cybercriminals will typically attempt to infiltrate your organisation by exploiting vulnerabilities in software, phishing, malware or through general poor security practices. As we’ve become more knowledgeable about these different types of attack methods, cybercriminals have had to become more devious in their attempts to defraud us. 30% of security events can now be attributed to careless or uninformed employees so unless your staff are receiving regular training, they could pose a significant threat to the security of your organisation.

5. Not Rewarding Staff

It can be too easy to get caught up in trying to identify the individuals that pose a security risk to your organisation, rather than rewarding staff members that are actively identifying threats, practicing good security behaviours and motivating fellow employees in the process. These are the staff members that are key to the success of your security awareness program and should be rewarded accordingly.

Rewards could include trophies, prizes or public praise and recognition that their efforts are being appreciated. It’s been scientifically proven that rewards influence human behaviour, so by creating an incentive program that rewards positive security behaviour, you are more likely to create a cyber secure workforce that is committed to protecting your organisation.

Gartner has produced a detailed research paper that highlights 10 common security awareness mistakes and how they can be avoided. To read the research paper and find out how you can change security behaviours within your organisation, visit: https://go.metacompliance.com/gartner/10-common-security-awareness-mistakes/