Photo by Hulki Okan Tabak on Unsplash
If 2020 taught us anything, it was that things change, unexpected things happen. Any security practitioner will tell you that security threats are always evolving. It’s clear that efforts to make end users aware of threats, in order to protect themselves and their organisations, have to keep up.
We need to keep people up to date, but also to seize upon teachable moments when available. For example, using reported phishing emails to highlight specific threats to your organisation; through to highlighting security incidents reported in the media and elsewhere.
People love a good story, a narrative. In fact Narrative-based learning is increasingly seen as being highly effective at increasing comprehension. And opportunities to draw on real life situations and stories are rife – offering the potential to highlight security threats in a relatable way.
Simply reviewing the NCSC’s threat reports for the last few months provides stories on things like:
These stories represent great opportunities to engage people with topical content, relevant to both work and personal security. But, as a security awareness or security practitioner, how can you best make use of this?
Let’s explore a few options.
It’s clear here that we need a content creation and delivery cycle of hours or days, rather than weeks or months. We want to be able to react to new threats and deliver topical content. And we want people to see it straight away. e-Learning probably isn’t going to be much help.
A good set of security pages can play a crucial role in supporting awareness and secure behaviours. It can be home for policies and guidance. But, let’s be honest, people won’t visit these pages very often.
How many emails do you get on average each day? Open rates for newsletter-type emails are around 10-20%. There’s just too much attention for competition in the inbox.
We’ve asserted before that Security Awareness needs to adapt. Gone are the days when an annual awareness course will cut it. Traditional channels struggle as mechanisms to deliver the sort of timely content that is needed. Which would seem to be a real missed opportunity unless we can….
The challenge here is to be able to adapt quickly, minimise impact on staff (giving them short snippets of information and a choice over when to engage), win the competition for attention, yet still pass on those key pieces of actionable advice.
And it is possible. We’ve seen engagement levels of greater than 90% with content that:
Security Awareness need not always be a rigid compliance-based syllabus. A key part of the battle is to engage users and get them thinking about security and secure behaviours in any (and all) aspects of their lives.
Topical and relatable content offers the potential to do this. And a new channel, such as that provided by Redflags™, offers the ability to deliver that content. Right content, right time, right way.