This is not another blog telling you to have ‘cyber aware’ employees, I think that point is pretty apparent to anyone reading this blog, and if you don’t yet have a user awareness strategy, it’s fair to say you’re now behind the curve. On this month, Cyber Security Awareness month, I wanted to talk about the bit after you’ve purchased the ‘solution’ positioned to you by a reseller. Purchase orders have been raised, EULA’s signed, and installations completed, and you the security team are faced with the following question: “Now what?”
Whilst it may be counterproductive for a technology reseller to say this, the adoption of the tool is more important than the tool itself. All too often when assessing customers and discussing user awareness, I’ll get the following response:
“We’ve purchased tool XYZ, and the reporting etc. etc. is great, but we’re really struggling with adoption”
It’s a really important point, and whilst it can be disheartening to look at “18% completion” stats on a tool, its important not to lose hope just yet. I wanted to share two approaches with you that I’ve seen truly work in this space in the wild and can suit two very different organisation cultures. We’ll call them the ‘carrot’ approach, and the ‘stick’ approach.
The ‘Carrot’ Approach
This one suits organisations where employee satisfaction is paramount, and reward, competition and gratification are the motivators of choice. Providing incentives and competitions to those who complete user awareness training, or those who consistently report phishing emails correctly can really help here.
This also has the added benefit of IT security being seen internally as a positive team, and the old logic of ‘I don’t want to report this in case it’s not dodgy and I’ve wasted their time’ isn’t a thing. It helps reinforce that IT Security teams are approachable, and the age old stereotypes of grumpy techies is no longer the case.
This is something we’ve adopted in Softcat, and our information security team have a regular ‘Phish of the Month’ competition where those who successfully report their simulated phishing email are entered into a prize drawer for a voucher. This same communication will also share a real attempt we’ve seen that helps highlight the things to look for.
The ‘Stick’ Approach
There may be some reading this and thinking the above approach isn’t for them, and its too positive for their culture, or that it still runs a risk of not being completed as its not explicitly mandated. This is where the ‘stick’ approach may be more valuable. This suits highly regulated, high risk cultures such as those in the finance and investment world, or those involved in critical national infrastructure.
This is done through linking an employee’s compliance to the security awareness programme, directly to their payment of bonuses. Essentially deriving a compliance score, typically of red, amber or green, that represents the portion of their available bonus that will actually be paid (red 0%, amber 50%, green 100%.) This approach has the obvious benefit of pretty rapid adoption, and a pretty high success rate. You’ll also find your users keep a close eye on their compliance status, so you should see as new training is released it should be consumed relatively quickly.
This has the added benefit of the ‘compliance statuses of your employees doesn’t have to be information security specific. Wrapping other expected behaviours into this score can have added benefits, ensuring regular compliance training is also completed.
A word of warning though, if every little bit of training is put behind this compliance status, it can have a negative effect on employee experience, or see a dip in overall productivity as employees are more concerned about keeping compliance up to date than driving the business forward. Ensuring a balanced approach is paramount.
The Hybrid Approach
Ok, ok, so I said two, and here’s a third. My bad. This really is for the organisations where neither one approach feels right. There is a world where you have a bit of carrot and a bit of stick, so those who are motivated to complete it for the positive reasons do so, and the stick becomes a solutions for the die hard anarchists who refuse to get with the system. Whilst this approach definitely has the most management overhead, it also gets the best of both worlds, providing high compliance whilst giving a positive view of IT security.
So whilst it may be counter intuitive for a technology reseller to say this, I’ll say it anyway. Buying the tool is only half the battle, but what you’re going to do with it is the important bit. A reasonable user awareness platform that is adopted and managed well is better than having the best solution on the market with no one using it.
So if you’ve found yourself in a position where you’re facing challenges around adoption, and don’t want a reseller who promises by moving from vendor A to vendor B it’ll fix that problem, you’ve come to the right place. If you’d like a deeper discussion about how to develop a user awareness strategy that encompasses both technology and adoption, then reach out to us today. For those who are already a Softcat customer, simply reach out to your account manager, and for those not yet, via the button below.