Not too long ago, a client of ours who had just released a dynamic new cybersecurity awareness course told me how blown away he was with the response they were getting. His inbox was full of compliments, and his colleagues wanted to duplicate his training success in their own departments. He recounted how employees stopped him in the hallway to thank him for not boring them to death. In short, his awareness program created a buzz. This kind of email is a thrill to get in my inbox, and not just because it means we have a happy customer. Ultimately, what motivates me is helping people to become aware of the risks around them and to act in ways that protect themselves and, by extension, their employers. It sounds a little corny, but I dig technology and the access that it provides to the world, and I want to preserve that access by helping people navigate through the rough spots. So, when I hear about successes like these, it tells me, “Here’s a company that will succeed in part because it creates a risk-aware culture where people know how to avoid cybersecurity threats.” That’s what we’re all after, right? The question is: how do you know that you’re having success with your own efforts to increase awareness? Here are some signs that should tell you you’re on the right track:
1. People Boast about the Tricky Phishing Email They DIDN’T Fall Prey To
Good news! Everyone is on the lookout for phishy emails, even your C-level execs. When people spot a good phishing attempt, they post it up like a notice on a registered sex offender. And the results of your ongoing phishing tests? They’re getting better all the time. We’re having a lot of fun in my own company as we all become connoisseurs of tricky phishing schemes. Just last week, for example, our sales team received a particularly assertive email that used strong language (“Here you go, you f---- thief!”) to claim the recipient was being sued. Two sales reps independently reported the phishing attempt and spread word around the office. And we all talked about why this attempt could work, namely, by shattering people’s sense of decorum and putting them on the defensive. I can hardly express how happy this made me to have people dissecting the ways that cybercriminals attempt to use emotional appeals to break down people’s defenses!
2. Employees are More Aware of Their Surroundings
Awareness means more than watching your inbox, of course. It also manifests itself in the ways people protect your facilities. For example, you may notice that your employees aren’t falling for the clever ways people try to gain unauthorized access to your building. Even that well-dressed pregnant woman with an armful of boxes gets a friendly escort to the front lobby—or back to her car. What do your employees do when they notice that a coworker has left their computer unlocked when away from their desk? In our office, people used to punk those with unlocked computers by sending out an embarrassing (but good-natured) email to the whole company. But we quickly found that a little much. Now, if you come back to your desk and find “It’s Peanut Butter Jelly Time” playing on your computer, you know you’ve slipped.
3. You Hear People Discussing the Training Itself
For the client I started this article talking about, the simple fact that people discussed his training (and positively) was the obvious sign that cybersecurity mattered. When it comes down to it, people talk to each other about the things that interest them, and the fact that they were talking about cybersecurity instead of the reality show du jour was a great sign. If you’re running a security awareness program well, you’ll set the groundwork for conversations all the time.
4. No More Password Post-its
Many IT staff I’ve known over the years saw password sticky note hunting as a competitive sport. You know what I’m talking about: employees who’ve grown tired of all the passwords they have to create for work and resort to leaving them written around their workspaces. Passwords scrawled on Post-it notes and “hidden” under desks and on the flipside of keyboards are one way to know that cybersecurity best practices are not being followed. A lack of this classic sign of security fatigue, however, is a sign to you that your awareness efforts are doing their job.
5. The Proof is in the Numbers
Hard data is perhaps one of the easiest ways to see if an awareness program is bearing fruit. For one, keep an eye on incident reports. Is the number of incident reports increasing while the actual incident account is falling? This means the training is reaching your employees. Heightened awareness combines with proactive behavior to nip potential incidents in the bud. If you’re looking for metrics to show that your awareness program is working, this is the “show me the money” metric that proves the culture. There are other metrics to look at, also. You may have knowledge assessment scores that have increased, especially in the high-risk areas you identified in your initial assessment. You may have evidence that your phishing program, which you’ve been running throughout the year, has directed targeted training to those who need it most and that most users have improved phishing detection over time. If you’re running an awareness program and looking for signs that you’re making progress, don’t feel bad if you’re not getting pats on the back because people love your training; the signs may not be that obvious. But do keep your ear to the ground for the subtle signs that a risk-aware culture is growing in your organization. The work you are doing may take a while to pay off, but the effort is well worth it.
About the Author: Tom Pendergast, Ph.D., is the chief architect of MediaPro’s Adaptive Awareness Framework, a vision of how to analyze, plan, train and reinforce to build a comprehensive awareness program, with the goal of building a risk-aware culture. He is the author or editor of 26 books and reference collections. Dr. Pendergast has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.