How should one communicate a security awareness campaign?

Awareness kommunizieren - doch wie wird das gemacht?
Today, employees are an important factor in information security and require appropriate training. But how do you communicate training measures and awareness campaigns that could be critically evaluated at first glance because of employee privacy?

Modern technologies such as firewalls or virus programs are no longer sufficient to ward off attacks by cyber criminals. Aware employees are essential to secure a company. "Security awareness" means that employees know what risks are posed by phishing attacks, for example, how to recognize attacks and what they must do if something goes wrong. In the digital world of work, it is impossible to imagine a phishing protection without security awareness and sensitized employees.

If, however, the conveyed knowledge is not applied by the employees due to a wrongly chosen communication, even a security awareness campaign will not lead to the goal. Essential for a good security culture are enlightened employees who know and accept their responsibility for the security of the company. In order to have a lasting effect on the culture of a company, good and coherent communication is therefore required at different levels.

In a study by Trend Micro, 63 percent of the IT and security decision-makers surveyed in German companies named internal communication as the greatest challenge for cyber security in their companies. 43 percent of those surveyed reported problems in communicating complex issues to management. The study also shows that it often takes a sensational cyber attack to get the necessary attention for IT security: 69 percent of respondents experience that after incidents like WannaCry, communication becomes easier for them. This raises the question of how IT security managers and IT security officers can overcome these communication barriers before such attacks happen [1].

Statistiken zur Security Awareness und Herausforderungen einer Awareness Kampagne

Internal communication is perceived as one of the biggest challenges of awareness campaigns

Part of the problem: The topic of security awareness is located in the IT department of many companies. 80 percent of awareness professionals have a technical background [2]. Very few people who plan and supervise security awareness measures in companies have therefore learned the necessary skills in the areas of communication, marketing or psychology during their studies or outside of them.

7 tips for communicating a security awareness campaign

Many IT security managers are therefore developing these skills through learning-by-doing. With these 7 tips, you will strike the right note in your security awareness measures:

  • Motivating employees through proper communication: Dealing with IT security is still a tedious task for many. So make the information for your employees as exciting and clear as possible. Use internal examples of risks when presenting the risks or present the private benefits for the employees. This helps employees to identify with them more easily. A humorous manner is also often well received by the employees. For example, a cartoon can be used to convey information in a simple, short and entertaining way.

  • Promoting a culture of trust: If employees do not report errors, it is difficult to discover them and avoid them in the future. Therefore, build up a good failure culture in your company through open communication. In particular, fear-inducing communication, threat scenarios or punishment of employees should be avoided at all costs. This requires a sure instinct.

  • Bridging knowledge gaps and language barriers: The IT department speaks a different language than the employees in the other departments. Be aware of your knowledge lead. Therefore choose a target group-oriented, simple and understandable language so that your information can be understood by all employees, regardless of department or level of knowledge. For example, IT technical terms should be avoided unless the addressees have an IT background.

  • No confusion due to conflicting information: The desired and communicated rules of conduct should be consistent by aligning them with existing internal guidelines.

  • Involve managers: Executives must be brought on board and act as ambassadors to spread the word about the topic within the company. It will be very difficult to spread the topic of IT security against the resistance of the executives. This requires a corresponding commitment from the high levels. The managers can then carry the topic further into the teams as ambassadors and convey the importance of the topic to the employees.

  • Consider cultural differences: Does your awareness campaign address employees from different countries? To achieve the expected success, cultural differences should be taken into account when communicating with employees. In addition to manners and communication tools, risk perception can also vary depending on the cultural context.

  • Use different channels: Es gibt verschiedene Lerntypen Medien-Nutzer-Typen. Daher ist es empfehlenswert bei der Kommunikation mit den Mitarbeitern multimedial vorzugehen, d.h. verschiedene Kanäle einzubinden, sowohl digital als auch physisch. Digitale Kommunikation ist wichtig, es darf jedoch nicht die Wirkung von Face-to-Face-Kommunikation unterschätzt werden.

In IT security, communication has the difficult task of making people from different backgrounds aware of risks and the correct behaviour with regard to cyber attacks. By taking these tips into account, you create a good basis.

About IT-Seal

Inattentive employees endanger companies. IT security managers can use IT-Seal's easy-to-use workflow to train their employees individually and reliably so that they protect your company.

Would you like support with a security awareness campaign? We are happy to help: Get in touch with us!

Sources

1] Study by Trend Micro: Internal communication is the biggest challenge for cyber security, https://www.trendmicro.com/de_de/about/newsroom/press-releases/2019/20190129-interne-kommunikation-stellt-groesste-herausforderung-fuer-cybersicherheit-dar.html

[2] 2019 SANS Security Awareness Report: The Rising Era of Awareness Training, https://www.sans.org/security-awareness-training/reports/2019-security-awareness-report<