It’s National Cybersecurity Awareness Month (NCAM) — do you know how cyberaware your employees are?
National Cybersecurity Awareness Month is an effort sponsored by the U.S. Department of Homeland Security every October. Its goal: to raise awareness about the importance of good cybersecurity practices. This year’s theme is personal accountability.
Does this often mean training happens in October? Absolutely. However, while training is important, good cyber hygiene should be reinforced often. If possible, that reinforcement of good cyber security practices should be engaging, interesting, and even fun for employees.
Yes. Fun.
We realize that’s a tall order. Cyber security awareness efforts can seem, at best, like a to-do list (Did you check the email? Did you update your software?) and at worst, like a scolding (your password isn’t strong enough!).
We promise, however, that it’s possible to have fun with cyber security awareness. Read on for some ideas.
1. Create a series of cyber security events
Rather than just announcing that it’s National Cybersecurity Awareness Month on October 1 and scheduling one talk or training, create a series of events to engage your employees. It could be a lecture series, it could be infosec lunches, a scavenger hunt, or games. You might also want to create a theme for each week of the month, such as passwords, security at home, or mobile security. The goal is to keep cyber security top of mind throughout October and to develop good cyber security habits that will extend into the rest of the year.
2. Bring in guest speakers
Your employees have heard all about security from you and your IT department, so bring in a new voice. Book a cybersecurity leader to talk about whatever your theme is that year — either in person or via Zoom. Extra points if they’re an engaging, fun speaker.
3. Incentivize your cybersecurity month activities
Mandatory training or cybersecurity activities are unlikely to create much excitement around the office, but what if the department that completes training first gets a free lunch? What if the team with the most cybersecurity month participation receives gift cards? By adding rewards to your activities, you’ll improve both morale and participation.
4. Gamify your cyber security
If cyber security is important to you (and if you’re observing NCSAM, it is) you’re probably already doing phishing tests at work. Rather than simply using those tests as a “gotcha,” turn them into a game. At the start of the month, offer employees a list of “clues” that an email isn’t from a real person: it’s not from the email address it appears to be from, it asks for personal information, etc. Every week, see who sniffs out the fake emails and reward them. It doesn’t even have to be phishing-related — several cyber security best practices can be gamified, including password hygiene and understanding cybersecurity jargon. Choose the activities that support your themes for the month, and build your game around those.
5. Reward employees for good cyber hygiene
Rewarding the winner of a game is one thing, but what if a non-technical employee really does spot a fake email and report it? In that case, rewards are in order. Rewards can range from public praise on the company Slack to a gift card. Remember, you want your employees to want to spot bad actors and potential incidents. Positive reinforcement can make your employees more likely to participate in cyber security efforts than seeing their co-workers get publically slapped on the wrist for clicking dodgy links during phishing tests.
6. Work cybersecurity into everyday activities
Cybersecurity month should be woven into the fabric of every day during October. Include a round of cybersecurity trivia questions at the end of meetings, for example, share cybersecurity tips on your organization’s social media, or offer cybersecurity crosswords in the lunchroom.
7. Make them laugh
It’s often easier to learn something if the content is entertaining. Fortunately, there are plenty of videos about cyber security best practices online, and some of them are hilarious, like Ellen’s takedown of an actual physical address book for passwords or Jimmy Kimmel’s cringeworthy video of people on the street being asked their passwords and actually answering. Collect some of the videos relevant to your cyber security efforts and send them out to your employees over the month of October. They’ll be laughing, but they’ll also be learning.
8. Take the conversation online
Encourage your employees to join the online discussion of cybersecurity month by using the hashtag #BeCyberSmart, which is the National CyberSecurity Alliance’s official 2021 hashtag. By dipping their toes in infosec Twitter (and Facebook and Instagram) your employees will get a different point of view about security, and also see what security professionals are talking about online.
9. Use stories
We human beings tend to learn best when we’re being told a story. Stories help us understand why certain information is critical and what the stakes for us are. This is important, especially if you’re trying to communicate information that can seem dull. That’s why SecurityScorecard partnered with CyberHero Adventures, a comic series focused on cyber health. Love comics, superheroes and supervillains? CyberHero Adventures tells the story of people — some fictional and some real – who dealt with breaches, data theft, and cyberattacks. Those people include CyberHero Adventures founder Gary L. Berman. Berman, was a career marketing consultant and entrepreneur whose company fell victim to a prolonged series of insider cyber attacks. The first story in the comic is his.
10. Join forces with other groups
The National CyberSecurity Alliance has been observing CyberSecurity Awareness Month since 2004; every year the organization offers programming, resources and a theme (the 2021 theme is “Do Your Part. #BeCyberSmart”). Use their program as a starting point to design your own program for October. While your program should be tailored to your organization’s culture, having some programs in common with other organizations will give your employees common ground to discuss with other people on social media and at events.
How SecurityScorecard can help
The goal of National CyberSecurity Awareness Month is to get your employees interested in cyber security. That means that they should come out of October prepared to spot fake addresses, protect their passwords, and know how to avoid risk year-round.
You can also monitor your organization’s security posture with SecurityScorecard’s security ratings. Our platform allows you to continuously monitor the most important cyber security KPIs for your company and your third parties, including internal negligence.
The platform automatically generates a recommended action plan when issues are discovered, provides access to breach insights, and shows a record of issues that have impacted scores over time.