Essential Tips for Cybersecurity Awareness Communications
In this article, we will cover some ground rules to keep in mind when establishing and relaying your cybersecurity awareness communications.
You’ve finalised your security awareness campaign planning with a solid lineup of educational trainings, creative activities, and guest speaker events. Unfortunately, all of this can fall flat if you don’t have clear communications in place.
If your planned messaging is insufficient, unclear, or un-engaging, regardless of how educational, entertaining, or interesting your trainings might be, few people will unfortunately care enough (or know enough about what is happening!) to attend.
Read on to find out our top tips to ensure a successful awareness campaign through clear and engaging communications.
Ground rules
Identify your key messages (the “what”)
This the reason why you are doing this communication. Have you based your training materials on e.g. The SANS top human risks? Or are they based on an identified need specific to your organization? Only once your trainings and awareness topics are decided can you can focus on how you want to relay and promote them
Accurately identify your audience (the “whom”)
Will the campaign be focused on a select group of individuals or will it be organisation-wide? Where does your audience get their information from? What is their preferred learning style? What is relevant to them concerning cybersecurity awareness, and what would they be interested in?
Consider whether the aim of this campaign is to reach a specific target segment or everyone in your company. This is relevant both for deciding on your messaging content and channels but also when deciding your planned activities and trainings. For example, a training on cybersecurity for children will likely be less popular amongst junior-level colleagues who do not yet have kids of their own.
When segmenting your audience, remember that the groups most interested in cybersecurity are likely those who already have a high baseline knowledge of key cybersecurity practices. The key is to identify those who you know need the additional messaging and develop events and trainings that would be interesting for these individuals. You can find some ideas here.
Consider which channels you want to use (the “where”)
The channels you have access to determine the type of communications you’ll be able to craft. Emails, internal newsletters, intranet pages, news announcements, chat channels, internal social media groups, or on-site notice boards are just some available options. Again, consider your target audience and where they could best be reached – there might be department specific newsletters you could leverage, or specific chat-channels.
Identify the frequency of communications (the “when”)
An important element to consider is how often to send out your messages. You want to ensure you aren’t creating communication fatigue by overloading your colleagues with messages, but you also need to make sure your point gets through. An ideal way of determining an ideal frequency is to first take note of what is the custom in your company. Secondly, observe your opening and click through rates to identify if the numbers are dropping off, which could indicate a communication overload. When in doubt, too much is better than too little. In general, the average business person sends and receives an average of 121 emails a day. This means that it is a high risk that your communication might not be noticed if you only send it once.
Establish your tone of voice (the “how”)
You should consider the culture of your organization and whether a formal or informal tone is best suited. Although memes and tongue-in-cheek humour can be an ideal way of capturing attention of colleagues within your company, it might not be appropriate in all workplaces. Whether you are able to leverage humour or not, the aim is to strike a balance between capturing attention whilst showcasing approachability and competence.
You should also create an identifiable branding that you leverage consistently throughout your communications. This could be in the form of a specific colour scheme, font, email layout, or header graphic. By doing this, your audience is more easily able to recognise that the message is coming from you, and pay more attention to the key points you want to put across.
The logistics
Consider what resources you have available
Consider what training and awareness materials you already have that you can re-use. Utilizing existing resources may allow you to save time or increase your budget for other awareness campaigns.
Source help where needed
If you don’t have any relevant awareness materials or are lost on where to start considering the communications, considering bringing in help via external vendors, consultancies or agencies to develop infographics, posters, or copywriting (Subtle plug – we would be glad to help you! You can also read more here about how to communicate a cybersecurity awareness campaign).
Things to keep in mind
Use Simple and Accessible Language:
Honeypot, Firewall, User, Device, On-Prem, Authentication – although these are words familiar to people working in infosec, they might be new, unclear, or mean something else to the general public. Often when working in a specific industry for a long time, we become desensitised to the terminology we use and forget that others may not be familiar with certain concepts. Make sure to avoid technical jargon in your communications. Use simple language that everyone in your organization can understand to ensure that focus can be placed entirely on the main points of the message.
Encourage Open Communication:
Incorporate elements of engagement in your communications and make it clear that there are opportunities to reach out to you when needed. The aim is to create a culture where employees feel comfortable reporting suspicious activities or potential security threats.
Communicate regularly and keep the messaging relevant
Consistently remind employees about cybersecurity best practices through newsletters, internal communications, or posters in common areas. Something that end-users often find interesting is highlighting recent recent security incidents (either worldwide or relevant to your industry) or trends. These relatable examples are great to ensure people stay interested in the message and the importance of following information security best practices.
Focus on your key messages
Make sure that your messaging is clear, concise, and does not contain too many “side messages”. Remember the key points you want your audience to retain, and make sure your communications are designed with these at the forefront.
Measure the impact and feedback of your communication
In order to be able to measure the effectivenes of your communication, your need to gather data on its performance. This can potentially be done by observing participation rates of the advertised trainings and events, or through other metrics such as open- and click-through rates. You can also collect feedback through various methods, such as surveys, polls, focus groups, or suggestion boxes.
Tweak where necessary
To continuously improve your communications, ensuring as many people as possible in your organization are interested and engaged in your messaging, make sure to tweak any follow-up communications based on how your first messages went.
Hopefully the above has given you an indicator of what to keep in mind when crafting your awareness communications. At Ozmeos, we can provide you with more in-depth details of each of the above points, or compile a full awareness campaign strategy and communication plan package. We have experience in developing full cybersecurity awareness campaigns, and understand exactly where each pain point might be.