In our previous posts we discussed how communication is key to a successful awareness program. We also discussed that for effective communication you must first determine WHO your target is. Once you determine WHO you are targeting in your awareness program, you can then determine WHAT you want to communicate then finally HOW. In this blog post we are going to focus on the WHAT. To be honest, in general this is where I see organizations do the best at. As security geeks we are pretty good at figuring out what it is we want people to learn. However, just to be sure you don't miss anything, listed below are what I find to be the three best sources for your awareness content.
- Policies: Obviously your policies are the first place you want to start. Specifically key policies you want to ensure your audience is aware of. What good is having a policy if no one knows about it (don't laugh, I'm all sure we have all seen this happen before). When using your policies as your source of content, be sure you do not directly quote text from the policies. Lots of technical or legal speak is the fastest way to put your audience to sleep. Instead, paraphrase key policies, or convert the legal or technical security speak into whatever language and format is most common to your organization. Also, you have to be very careful here. Its very simple to start cramming all of your policies into your program, all 348 pages of your policy. Do not attempt to teach everything at once, there is simply far too much content. You have to prioritize, spend the most time on the most important policies. This allows you to not only produce better content, but allows you to reinforce these key policies throughout the rest of the year.
- Background and Best Practices: Often there are things not in your policies that you need to explain in your awareness program. For example, I always like to start every awareness program by explaining to people that they are the target. Many of your employees feel that only corporate servers get attacked, when in reality it is often the individual that is the primary target. I also like to explain the concept of social engineering and how it works. So many of today's attacks are based on the concept (rogue anti-virus, spear phishing, malicious attachments, scams, etc) that its very helpful to lay a foundation in key concepts. Finally, I often like to demonstrate how some of the most common attacks work. People are smart. If you explain the how and why of many of today's threats, combined with the fact that they are the target, and all of the sudden you have everyone's attention.
- Compliance: Often compliance, laws, regulations or standards are drivers for your awareness program and you are required to cover certain topics or information (such as HIPAA or PCI-DSS). Often its best to talk to your legal team and/or HR team to see if anything required. Even better, if you have your own compliance department.
Now that you have your sources of your content, you can start selecting and prioritizing your content They key is to use only the content that applies to your target. Remember the five categories we defined for WHO? The first two were employees and contractors. Often these categories are taught the same content (just sometimes using different methods). However, for the other categories you need to customize. For IT Staff you will have more specific content, such as how to manage administrative accounts or logging requirements. For management you will not have time to teach them everything, so you often have to strip the content to the bare minimum to reach them in their small time windows. Finally there are customers. If you want to reach them, I've found about that you only need to teach your "Background and Best Practices" content, your policies or compliance issues most likely do not apply to them.