Security Awareness Training that Won’t Put Your Peeps Asleep
National Cybersecurity Awareness Month, which takes place every year in October, is a lot like spring cleaning. It’s when we buckle down and finally get to that pile of papers we’ve been staring at all year. It’s also when we learn to build new systems that prevent the pileup in the first place. Fall is when we turn on the throwback tunes, grab some reinforcement, and dance our way through important cyberthreat mitigation. As a cybersecurity keynote speaker, it is my responsibility to help you know where to start, what to do next, and how to prevent the mess that comes from not paying attention to security awareness training. It is the combination of deep work in October and preventative education throughout the year that make cybersecurity digestible, effective, and even a whole lotta fun. In the meantime, here are 5 Disastrous Pitfalls you can avoid during your organization’s Cybersecurity Awareness Month 2022:
1. Don’t Overstuff October with Awareness
Assuming that your employees are appropriately educated after just a month of data protection training is as ridiculous as saying “I washed my sheets once, so I’m set for the year!” First of all, no. Second of all, gross! To continue our cleaning metaphor, if you wouldn’t ask your most treasured house guests to sleep in a bed with sheets you washed last October, why would you entrust your company’s most sensitive data to a team that is dealing with year-old information??
It is all too easy for organizations to assume that their responsibilities are contained and fulfilled when they dedicate an entire month and a substantial budget to those responsibilities. Don’t get me wrong, I LOVE that we have a month dedicated to cybersecurity awareness. But many organizations concentrate all of their efforts into October while completely neglecting the other 11 months. Here’s the point: Information overload is not effective, for your people or your budget. Corporations that rely on October alone may forfeit some of their responsibility while exhausting their staff into a state of disengagement.
How do I know this? Every year, I am booked solid from September through November, right around–you guessed it–Cybersecurity Awareness Month. And I’m not complaining about the business! But I am concerned that we see a sudden yet fleeting burst of motivation by companies and yet a lack of accountability the rest of the year. More and more, in addition to a keynote event during their October campaign, smart organizations will supplement their education with monthly emails, phishing contests, brown bag lunch dates on personal security, funny social engineering videos and other relevant updates that keep their staff current on the latest cyber trends.
2. Don’t Hire Speakers Who Bore Them to Tears
Emotions matter. Your people matter. A relatable, captivating experience is critical to creating personal buy-in among your employees. And let’s face it, your people are only your weakest link if you let them be. When you bring in engaging, entertaining speakers who make the topic personally relevant to their lives (not just to your bottom line), they will naturally expand and apply that learning to your organization.
Take Facebook for example. They have successfully implemented “Hacktober” during National Cybersecurity Awareness Month, which provides workshops and gamified contests for workers to implement everything they learned throughout the year. And then in October, they reward their team with a highly entertaining speaker (shameless plug ;-) that benefits them personally and professionally.
When I live hack the iPhone of an audience member (using humor to socially engineer them) or run a game show about deep fake technology to educate them on trending threats, they leave not only with tools for protecting the company, but with personal buy-in about why data defense matters. But if it’s boring, it gets forgotten.
3. Don’t Force Feed Them 8 Straight Hours of cybersecurity awareness training
More is not always better. Faster is rarely better. Eight hours of pure content without a bathroom break is not better. And it’s probably illegal. Because we are productive beings focused on “more”, we sometimes confuse efficiency with effectiveness. In the case of security awareness training, eight hours of hearing about hackers, fraudsters and scams (oh my!) isn’t going to do much besides–at best–convincing your people to tune out and enter BORED, SLEEP and WASTE and in their latest Wordle puzzle.
Organizations that treat cybersecurity awareness month as a time to stuff all content into one long day and hope that everyone learns something (or at least stays awake) tend to be wasting their money. More education in less time is not the way to prevent cybercrime from landing you at the top of the news cycle. In fact, content stuffing will dull down the topic so much that your people will care less than when they walked in.
It’s like one of those weeks where you put off doing the laundry just long enough that your clothes barely fit in the washer. So you stuff it all in and not only don’t the clothes get clean, but the machine is toast before the spin cycle subsides. The lesson? Don’t leave your people half-washed by stuffing their brains so full that they can’t finish the cycle. The most savvy data protection education I see tees up the topic with a few new best practices–let’s say password or click hygiene–paired with real life stories of what happens when it all goes bad. Audiences love stories, so don’t drown them with statistics and a boring PowerPoint.
4. Don’t Make it Only About the Organization
Would you rather fold your own underwear or those of a random stranger? If you have any common sense (or knack for hygiene), you’d choose your own. Doing the laundry may not be the funnest part of your Sunday routine, but you know it is necessary because in the end, it directly impacts you. Forget to start the wash? You’re the one going commando. Dumped the basket of dress shirts on the floor and forgot about it? Monday is going to be stress with a side of wrinkles.
The point is, when something impacts us personally, we notice it quicker and invest in it more fully. Many keynote speakers on cyber threats ask you to fold someone else’s laundry–they only want you looking out for the good of the organization. They don’t give individual employees a “why” that impacts each of them personally.
In other words, Cybersecurity Awareness Month is not just about educating. It is about creating emotional buy-in. In order to be remotely effective, cyber education should come over the course of the entire year–not just one month dedicated to it. So why have a dedicated month at all? Because October serves as a national reminder about why this matters. It is the responsibility of your keynote speaker to 1) Get employees and executives passionate about protecting the data that drives your profits and 2) Illustrate how protection affects them personally first. If the individual doesn’t give half a load of laundry about defending their own private information, they sure as heck aren’t going to care about protecting the corporation’s information capital. By bridging the personal and the organizational, we can encourage personal buy-in that leaves the individual and the company better off for it.
So, if Pitfall #3 is an oversupply of content, then Pitfall #4 is having an inadequate reason to listen and take ownership in the first place.
5. Don’t Focus on Failure, Focus on the Future
When organizations and leaders only focus on what their people are doing wrong, those people are far less likely to embrace change. Employees want to feel like they are successfully contributing to the health and well-being of the company. So, if you approach cybersecurity education and awareness from a peripheral angle and point out what IS working and where you have thwarted attacks, individuals feel proud and therefore much more empowered to continue the momentum into the future. Cybercrime is already a negative topic, needlessly harping on past failures only depresses progress.
For example, in my cybersecurity keynote presentation, I make it a priority to point out how it is generally the human beings inside of any organization that catch fraud in process. Your people are your superheroes when it comes to data defense. You can have the greatest technological tools in the world, but if you don’t have a smart human wielding them, they are worth next to nothing. This approach is called Appreciative Inquiry, and it is an incredibly powerful tool in your arsenal of human cyber weapons. And it is generally missing from the average Cybersecurity Awareness Month playlist.
And with that in mind, here is the good news. YOU DON’T HAVE TO BE VICTIM TO THESE PITFALLS. I have witnessed hundreds of cybersecurity awareness month events in my two decades of keynoting events, and the leaders that understand and avoid these pitfalls don’t just create a better awareness event, they build a long-term cybersecurity culture. And that’s something that doesn’t come out in the wash.
John Sileo specializes in Cybersecurity Awareness Month 2022 keynote presentations that set your month, year and awareness program up for success. If you’d like to learn how John will customize his speech to your event, contact us directly on 303.777.322 or by filling out our friendly contact form.