The key to security awareness? Get your internal marketing sorted!
18 October 2018
Ian Bishop-Laggett, Head of Insider Security at Schroders and Cyber Security Connect UK Committee Member, shows us how getting your internal marketing right is key to improving security awareness
The human element of a business is arguably the most vulnerable to cyber-attack. From phishing emails tricking users into downloading malware or sharing confidential data, to poor practice and simple mistakes that inadvertently create security gaps, almost all attack strategies prey on the workforce in the first instance.
While good security technology is essential in identifying these threats and keeping users safe from being exploited, a well-informed workforce that is able to proactively spot potential cyber risks can make all the difference.
Establishing good security awareness is easier said than done however, with workers often seeing cyber as an issue for the IT department, and an irritating distraction from their work. It’s also all too easy for security messaging to fade into the background as just another piece of corporate comms in the busy workplace.
Security awareness efforts also frequently fail because they are too passive and vague. Campaigns will often fall back on what is often known as SPLAT – Some Posters, Leaflets, Ads and Things. The result is a loose collection of material that does little to really engage with the workforce or improve awareness. Instead, companies should look to run their security awareness campaign in the same fashion as an active marketing campaign targeting their customers.
Also of interest: Fighting Against Phishing
Marketing to your workforce
Any internal comms around security need to be the result of proper planning rather than just being completed as part of a tick box exercise. This means the project should start with some clearly defined objectives for what the campaign will achieve and how it will be measured.
Just like an external marketing campaign, it’s also important to establish a distinct brand and identity. This is particularly important in a large company where personnel will be used to seeing a lot of corporate messaging and branding everywhere. The awareness campaign needs to match the corporate identity but be distinct enough that it stands out – for example using the same branding elements but in different colours.
Smaller companies won’t need to worry about the corporate comms issue but creating something memorable and distinct is still vital for a business of any size. At Schroders for example we created the taglines “think secure” and “ideas worth protecting” which were present on all of our material and helped to establish a memorable identity.
Also of interest: The Insider Threat
Establishing a presence
To avoid a lacklustre SPLAT approach, you should look at creating as many different touchpoints for the campaign as possible. It’s commonly agreed in marketing that you need to see a brand in seven different places before it really becomes cemented in your mind. Aim for a combination of posters, emails, web graphics, and collateral like stationery and stickers.
Mixing digital and physical elements works well here, particularly if you provide attractive items that staff can use or take home. People are generally less interested in desk-cluttering bric-a-brac these days, but useful things like security holders for credit cards, or even a pack of sweets, can work well. These items won’t deliver a message by themselves but will build familiarity for your security awareness brand.
Interesting and eye-catching design work can also go a long way to a campaign’s success. For example, for a campaign around phishing we used strong fishing-related imagery with hooks and bait, accompanied with powerful statistics on the number of attacks and potential costs.
Also of interest: CSO of Bacs and Faster Payments, Craig Rice, on cyber resiliency
Making a difference
Flashy designs obviously need to be backed up with some real substance, and it’s important that key material delivers something informative and practical. It’s easy to fall into scaremongering tactics about the risks of attack, but there should be something actionable there too. I find it particularly useful to offer advice that users can take home with them and use in their everyday lives as well – for example spotting malicious emails in their personal accounts or securing their home devices.
Finally, all material should be tied together by directing users to a single resource such as an online portal that provides more in-depth knowledge and advice.
A workforce that is truly engaged and aware of security threats will act as an effective frontline defence against attackers. They can both minimise the mistakes and practices that present opportunities for criminals, and potentially spot and report signs of malicious activity in the event of an attack. At the same time, technology such as behavioural analytics can be put in place to spot more advanced threats and pinpoint suspicious behaviour to prevent serious attacks.