A Halloween nightmare:
Thunderstorms rage outside. Calendar alerts shriek in unison throughout the room as suspicion and anxiety rises. Lightning crashes. Users stare at their screens in horror as the dreaded “Security Training” invite rears its ugly head once again. “Say it isn’t so,” says the Head of HR. “It just can’t be… Already?” comes from someone hiding under a table in the Marketing department. “Please not again!” screams the Sales Manager as she flips her desk and runs away.
Don’t let this scary tale become a reality at your company.
To a security professional, it can often be shocking that people working in other fields aren’t quite as excited about this topic as us. We often think to ourselves, “But it’s so important. Why don’t they realize?” Just because this is our passion, does not mean that this is the case for everyone; but at the same time, this does not negate its importance.
So how do we approach users without smothering them with information or seeming a little too… overly attached? Here are a few tips!
Security needs to be:
Instead of handing over countless pages of security policies and expecting users to read them (nobody will read them), find ways to make this easier for users to consume.
Converting your security policy into a fun, internally facing video is one way to keep users engaged without realizing that they’re learning. It’s sort of like hiding spinach in a strawberry banana smoothie.
Encourage users to get involved in the production of the video. Feel free to make it amusing, while still conveying important concepts. Props like Guy Fawkes masks or ridiculous hacker costumes (think: ski mask ‘hacking’ with two keyboards) can make this TL;DR version of your security policy go a long way.
Training sessions can be a snooze for users. Spice them up by making them not only interactive, but actually interesting! How, you say?
Take your users on an interactive adventure. Why not let them try out password cracking tools like John the Ripper or Cain and Abel first hand? Or have them send each other fake Flash update requests with BeEF on Kali Linux.
This type of training can motivate users to want to protect themselves and the company and allows for them to get excited about security. It also helps them to understand the actual reason why they need to use strong passwords or exercise caution while browsing the internet.
Compliment and reward your users on good security practice. “Wow, that’s a long password! I’ll bet that blows our complexity requirements out of the water!” Kind words can go a long way.
Just be cool. Too much training can overwhelm users, even if it is fun. Constant workflow interruptions are inconsiderate and can result in your message falling on deaf ears. Mandatory trainings should occur no more than once or twice a year. Voluntary trainings can be hosted more frequently, however.
As a security professional, you have the power to decide if your users are your strongest or your weakest link. Make training fun and engaging and don’t let this security nightmare become your reality.