Let’s be honest. When it comes to cybersecurity awareness training, users generally do one of two things, try to click through it as quickly as possible or avoid it altogether. As cybersecurity professionals, we know their awareness of the threats and commonly used tactics to infiltrate networks and exfiltrate data is a critical element in our program. Generally, though, the everyday user doesn’t appreciate the importance of their role. It might seem futile to convince them of the added value in being cyber-savvy, but it’s not. As with anything in life, knowledge is power.
Like so many things, the approach we take is key. Looking at it from another perspective is helpful. What do you do when you’re trying to convince executives to invest money in a new cybersecurity tool? We use the basic formula of Risk = Threat x Vulnerability x Asset Value to validate that the cost of the control is less than the probability of occurrence and will decrease the risk in a cost-saving manner. We can do the same from the original perspective with a new, user-focused formula: Enhanced Professional & Personal Security = Cyber Awareness Training + Critical Thinking.
Have I sold you, as a respected cybersecurity peer, on the idea? Yes? Great! Now, how are you going to sell it? It’s simple. You launch a cybersecurity marketing campaign. If you’re not sure how to do it, I suggest using the Canva app. Even the free version has great layouts that are easily customizable. Find one you like, import your organizational logo and change the color palette to match it. Then, fill in the selling points. The flyer below contains a few I came up with in writing this. It would be great to come up with your own creative approach, but feel free to use these too. I share them without copyright statement for this very reason, and you can easily import it into a slide and cover the “insert here” areas with your own text box. You can reinvent the wheel another day.
Both the formula and the talking points are simple and easy to understand, yet admittedly, there’s no guarantee every organizational user will buy the idea you’re selling. Just like any product, though, a segment of them will buy it. Then, as with any good product, positive word of mouth is worth far more effective than a costly advertising campaign. One person relating how something they learned helped them recognize and avoid a threat received on a personal device can increase the likelihood of others not only complying but actually paying attention to the training content.
Is the idea guaranteed to work? No, it’s not, but will it increase the threat to the organizational network? It certainly won’t. It’s a different application of the same idea made famous by hockey great Wayne Gretzky: “You miss 100% of the shots you don’t take.” So when the next cybersecurity awareness season rolls around, put together a visually captivating email flyer and take your shot with your users. Rest assured that some of your shots are bound to land in a user’s goal, and you’ll feel good knowing you left everything out on the organizational ice.