As the CEO of Startup House, I've found that leading by example is a key strategy in fostering a culture of security awareness within our organization. By prioritizing cybersecurity in my own actions and decisions, I set a clear standard for the rest of the team to follow. Whether it's using strong passwords, implementing two-factor authentication, or staying vigilant against phishing attempts, showing that security is a top priority helps to instill a sense of responsibility and awareness in all employees. Remember, cybersecurity is everyone's job, not just the IT department's!
Something that's worked well for me is to incorporate micro-learnings on a weekly level directly to Outlook calendar. A 30 second tip that pops up on Monday morning is a better way, in my opinion, to handle keeping cybersecurity top of mind than any number of mandatory half hour long training blocks.
Phishing simulations on a semi-regular basis are effective, in my experience. Nothing quite gets cybersecurity top of mind faster than failing a phishing simulation, and it makes for some great statistics to share during all hands calls when people complain about having too many cybersecurity trainings or policies. In all seriousness, using these statistics and publishing real-world information about the attempts that the cybersecurity deals with on a day to day basis during all hands calls is a good wake up call to the organization that there are actual threats instead of it being something nebulous in the background.
Cyber security awareness is not the core of people's jobs, so parts of what you teach them will not be learned., and things they have learned will be forgotten over time. Cyber awareness culture is building that little voice in a persons head that says "hey could this be a scam?", and that takes repetition. Give them engaging training for a baseline of knowledge, and follow it up with short and concise snippets of awareness information that relate to personal cyber safety (i.e. make it relatable).
Crime- & Intelligence Analyst ('Profiler') at Cybersecurity Speaker
Answered 2 years ago
My message to create awareness is clear: “Make Cybersecurity great again!”. What do I mean by that? I attend many cybersecurity conferences and often see cybersecurity experts talking to cybersecurity experts about cybersecurity topics. Thats great. But who clicks the links or opens the attachments in the end? Who is actually the main target group for awareness? People who are NOT interested in cybersecurity. THAT is the target group. How do you reach people who are not interested in Cybersecurity? 1. It has to be entertaining and exciting. That's the only way to reach people and influence their behavior. 2. Make it about people and not just about business! I recommend incorporating the following into every awareness training session: How we can protect our company from ransomware and 3 ways pedophiles can contact your children in World of warcraft. Guess what: Suddenly moms and dads are interested in awareness training. Make it about people! Mark T. Hofmann, Crime- & Intelligence Analyst & Cybersecurity Keynote Speaker https://www.mark-thorben-hofmann.de/en/cybercrime/
We adopted a multi-layered approach to creating a culture of security awareness within our organisation. To begin with, we employed gamification techniques with a regular phishing simulation program. These simulated exercises emulate phishing attempts, teaching employees to identify and report suspicious emails. This tests their ability to recognise threats and provides valuable data on susceptibility rates within different departments. Following each simulation, we carry out extensive training exercises. We analyse the results to find the most common areas of vulnerability and tailor our training based on those results. This data-driven approach ensures training addresses security concerns and reinforces employee best practices. Combining these simulated attacks and targeted training has enhanced our cyber resiliency.
To establish a culture of security awareness in our company, I carried out continuous and interactive education programs. We hold workshops and simulations that are interesting regularly instead of doing single seminars that imitate real cyber-attacks to truly understand the employees. With this method, staff can not only be familiar with what cybersecurity is about but also identify any possible risks and how they should act. To make the training more fun and ensure maximum comprehension levels are achieved, we introduce quizzes and rewards, hence gamifying the whole thing. All workers must, therefore, undergo this kind of training often so that being conscious of security becomes part of their lives, thereby building proactive defense systems against cybercrimes.
I worked at Amazon for four years as a software engineer on the Amazon Fulfillment Technology team. One effective strategy I used to foster a culture of security awareness was to integrate regular, engaging security training sessions into team meetings. These sessions included real-world scenarios and interactive elements, making the importance of cybersecurity tangible and relevant to daily tasks. This approach not only educated but also empowered team members to prioritize security in their workflows.