Companies are now spending hundreds of thousands in an effort to shore up their human firewall in schemes such as security awareness campaigns. The lessons shared here have been taken from insights shared by multi-national organisations about what worked in their awareness campaigns at the June 2009 ENISA conference in Canary Wharf. As the event was labelled a Chatham House rules event, we are unable to divulge the names of the companies and individuals but can share some of the lessons.

Get Your CEO/President Involved
In one presentation we were shown a professionally produced five minute video clip of the president of the organisation, giving a message of working securely and the reasons why to the employees. The CISO emphasised that the most important aspect of this video wasn’t the great production value or even the message itself. It was the fact that their president was giving the message.
Having your CEO/President of your organisation give a message about security is a powerful way to help build cultural change in creating a secure business posture from the top down.

LESSON: Security Awareness should not take place without senior executive involvement and backing.

Use Every Communication Channel Available
One Security Awareness Officer spoke about how they would be able to develop materials to reach out to members across the whole employee spectrum. In order to do this they took an inventory of the different medium used by employees from senior executives to administration and facility workers. Their analysis resulted in a number of monthly internal newsletters read by different staff, how often and who the internal website was used and a number of other media. As a result of their findings, their company was able to create and plan for appropriate regular articles for each of the media.

Posters, mugs, thought for the day logon scripts, default home pages and many others were also used by these organisations to help get messages across. In this way, people were constantly being reminded about the need for better security whether in the office, toilet or kitchen.

LESSON: Use every communication channel to reach out and embed a security aware culture

Make it On-Going
Security awareness is not just for Christmas…it has to be embedded within the culture of the organisation and as such needs to be communicated to the organisation regularly. If it is just talked about at induction, it will be quickly forgotten. In any campaign, you will need to create a plan of materials and instruction for the next two to three years. This is not easy and you can guarantee senior executives will be querying every level of the budget proposal!

LESSON: Security awareness needs to be on-going. As security and business practices change and new types of hacks and malware are found, employees need to be kept up to date on the issues.

Have Live Hacking Workshops
One CISO commented on how successful their regular workshops were. These included a brief presentation with lots of employee participation and a demonstration of how a security breach may occur (a live hack). In some cases they have instructed a non-it literate employee to come to a console and perform the hack themselves to emphasise how easy it is to break in without proper security posture. The briefings themselves are not about benefits to the company but to the employees themselves.

LESSON: Use the WIIFM (what’s in it for me) to make your programme have greater impact.
The same CISO also commented on the fact that many companies have e-learning modules and great videos but without some form of feedback with an instructor, senior manager or dedicated facilitator, much of this instruction is lost to the employees.

LESSON: Employees need participation, feedback and discussion and you need it to see how effective the programme is.

Roadshows and Prizes
Several multinational organisations also had regular roadshows with spot prizes (usb sticks, pens etc) for people who correctly answered questions. The roadshows were designed to handle questions from users and promote security in a fun, exciting way and show users how security was better enabling the company to handle more business. This was found to be effective in getting an idea of what people knew and creating a buzz around security.

LESSON: The awareness campaign needs to engender fun and interest in order for employees to take messages on-board.

Summary
There were many other lessons shared but sadly not enought ime to network. The European Network and Information Security Agency, is the EU agency dealing with Network and Information Security within the European Union and has been promoting a number of events to help bolster the security stance of member states within the European Union. They are producing on an on-going basis, a repository of awareness videos and posters that are freely available to all organisations within EU member states. If you would like to view or download these videos and posters, click on the appropriate references below.

ENISA Videos http://enisa.europa.eu/pages/ar_videos.htm
ENISA Posters http://enisa.europa.eu/pages/ar_posters.htm

References
SecurityVibes Video: Julia Harris, Head of BBC on Challenges of Awareness Programmes
SecurityVibes Article: Going for a Coffee? Lock Your Desktop
SecurityVibes Podcast: Dr Nigel Brown Technology Isn't Going to Solve Your Security Problems
SecurityVibes Article: Cyber Crime Top Priority for European Commission