When dealing with Cyber Security, it is often said that people are the weakest links. One vulnerable and gullible employee is all it takes to infiltrate into the company network. However, cyber security managers need to ask themselves this question, are people really the problem here?
The challenge for cyber security managers is that they not only have to keep up with the risks of of using technologies but they must also ensure that employees are also educated on the same. To counter this hurdle, cyber security awareness campaigns are launched, but how many organization do them right? Campaigns are often launched in form of mass-mailers, posters or workshops. But are these methods truly effective in the age of dynamic content (animation, audio or video)?
Using social media to deliver security messages
Employees are eager to adopt new technologies, especially social networks. According to Weber Shandwick, a global public relations firm, more than 50% employees post messages, pictures or videos in social media about their employer. Cafyen, recently reported several benefits of using social media at work. In the same post, they reported that 78.6 percent of salespeople are using social media to sell. Given such heavy usage of social networks at workplace, doesn’t it make sense that cyber security managers revamp their cyber security awareness campaigns?
Though they are often shy of using social networks but it can be a great tool in their arsenal to get their message across. Here’s how:
1. Tell your story through Facebook: It has more than a billion monthly active users and most of them access it during work hours. This makes Facebook a great platform for cyber security managers to tell their story and engage with employees. For example, creatives similar to following can be posted on the company page or a dedicated group for employees, along with a short blog post:
2. Pass-on security tidbits through Twitter: It has more than 500 million active users worldwide. Chances are that most of an organization’s employees already have a twitter account. A common belief is that if a message cannot be conveyed in 140 characters, it needs to be reworked. How does this translate to cyber security awareness campaigns? Simple. For example, instead of sending a mass-mail containing ten email safety tips, post them as ten tweets distributed throughout the day. Additionally, employees can be tagged and incentives can be provided to retweet and tag fellow employees. Here are a few samples:
#DontTakeLoad of your account getting hacked. Use a long and strong password.
— Yaksas CSC (@yaksas443) September 16, 2015
While you read #TheBigIndianWedding put the anti-virus software in your PC to some work.
— Yaksas CSC (@yaksas443) September 16, 2015
3. Videofy security messages through Youtube: Today, most people prefer Youtube as their primary source of entertainment. It is a great platform to deliver a message that stays with employees. Organizations can even encourage employees to create their own cyber security awareness videos, upload them and share with rest of the organization. Below are a few samples:
4. Reward employees through Cyber Security Awareness contests: Contests are being used to promote every other thing, be it online shopping, ticket booking or food ordering. Why not use them to motivate employees to become more cyber safe? Such contests can be run online as well as offline. Apart from educating them, it makes security a fun and creative activity for employees.
If cyber security managers want employees to pay attention to cyber security, they will have to move to these alternate mediums. Offline modes of imparting security education may help them to fulfill their KRAs but they are not as effective. Combine them with social media and a bit of creativity and employees will be all ears.
A penny for your thoughts
Do you agree with us? How does your organization handle cyber security awareness? Is it doing it right?
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.