What cybersecurity awareness techniques have you found most effective?

705 views1 Upvote28 Comments

Director of Tech and Cyber Strategy in Finance (non-banking), 1,001 - 5,000 employees
1. You have to tailor for your audience.
2. Understand that these things are not always going to be engaging so focus on what is practical. Less is more. Social engineering, password hygiene--focus on ROI.
3. Iterate. Get feedback to support a test-and-learn approach.
Information Security Manager in Software, 201 - 500 employees
We tried a lot of things presentations, videos but most successful one was the hand to hand experience. The lab where employees can see what might happen if they will click to something they should not have. I know it is hardwork but after that everyone got responsible.
CISO in Software, 201 - 500 employees
Plus one on both tailoring to the audience and doing it repetitively. It's best it it's brief and straight to the point – rather than a long over encompassing presentation. 
In my onboarding, I focus on everyone's responsibility for information security and how to reach us.
Our simulated phishing campaigns indent mostly to remain our employees that everyone may become a victim, and are usually focused around something very relevant. And we do personally reach out to all who report it and discuss or explain. 
In the end, you either spark an interest in the recipients – and then you've done your job well – or not, and it's a loss of time and effort.
CIO/CISO in Healthcare and Biotech, 11 - 50 employees
A hands on approach consisting of a two-pronged approach: 1) Employing awareness training by the usual means (videos, simulations, etc) 2) Consistent and never ending personal engagement with business leaders and other key stakeholders to keep the importance of security awareness elevated on a consistent basis.
Director of Information Security & Technology in Healthcare and Biotech, 51 - 200 employees
Continuous phishing simulation campaigns with mandatory remediation training has been incredibly effective for increasing end user reporting of suspicious emails.
Director of Information Security in Manufacturing, 1,001 - 5,000 employees
Important elements for sure are repetition, as well as a positive approach (not name and shame). But what I found as well is that variation is really important. We tried e.g. a Phishing campaign, and each iteration was better than the previous one.  Until we changed the format, changed the message, and tried again. The clickrate went through the roof....  It appears that you can train people to recognize a certain pattern, but everything following that exact same pattern may actually get through :-(    Now we change it up a bit.
Head of IT and Security in Finance (non-banking), 51 - 200 employees
Awarness campaigns using videos and staff trainings. Social security is the main threat to focus on.
Director, Security Operations in Telecommunication, 501 - 1,000 employees
We've evolved our approach over time and have seen positive results.  Using 3rd party content providers, we review content at least twice a year and also include real-world scenario testing on a quarterly basis.  In order to keep things top of mind with the staff, we've also adopted am ongoing awareness campaign which includes monthly email content (similar to content sent out in October during Cybersecurity Month), containing interesting statistics and other data bites.
Director of Technology and Special Projects in Retail, 5,001 - 10,000 employees
Short and to the point videos have been the most effective when supported with follow up. Agree with others that repetition is key and the approach we have found successful is to use video (2-3 min) as the initial tool and then follow up on a regular basis using things like email/Intranet bulletins to reinforce key points.

Providing our Support agents with standard, brief education scripts to use when they happen to come across a customer/user not following a best practice has also been effective.
Director of IT in Manufacturing, 201 - 500 employees
What I used is to present the security policies using videos and also with a mandatory reading control for all new hire during onboarding induction, and then recurringly every 6 months, in addition to sending weekly capsules by email about cybersecurity awareness, some with videos and others with infographics, the point is to be repetitive until users become aware and take security into account as something necessary

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
40.7k views131 Upvotes319 Comments

Yes — always.37%

No, I don't mind sharing my data49%

Not yet, but I might opt out soon9%

Don’t know — I need to check!4%