Security Inductions: how much knowledge is the right amount?

Every business regardless of size, should be starting each new joiner with a security induction. It’s as vital as where the fire exits are and all the rest of the essential knowledge we instil into our shiny new faces.

How do you pitch it without overloading your newbie with so much information that they forget their name?

The average employee

Think about who the average employee is, what is their educational level and salary band. The UK average salary is £35,058 in 2019, so when you think about your average employee, it’s not the c-suite! It’s your people on the ground, your marketing execs, facilities team, receptionists, customer service reps, or production workers.

The average employee probably doesn’t realise the severity of leaving their unlocked laptop on a bus , making a comment to the press about trade secrets they overheard in the kitchen or leaking the office gossip on social media. It just isn’t on their radar. It’s as frowned upon as taking two notepads, one for work and one for home. It’s a minor incident in their world. Your insider threat is sitting in the dining room overhearing everything, finding the printing you’ve left behind, and they probably don’t even know they are a threat (or intend to be).

Understanding the average employee should help you to understand their motivators and the angle needed to influence them.

How much security knowledge is enough?

For an introduction to security, an introduction is all that is needed. Don’t go too heavy-handed or too detailed; you’ll turn the average employee off, bore them to tears or disengage them with security themes. In my opinion, this is as dangerous as not inducting them into security at all.

A quick Google should highlight the regulatory requirements (depending on your business) for training your staff. GDPR requirements are bursting out of the search engine results, don’t forget about PCI-DSS etc.

From my marketing career, I understand the psychology around engagement, so let me share this with you. You have 3 seconds to grab someone’s attention, max! Once engaged, you must keep their attention; after 20 seconds, you have started to lose them. Now there is no hard and fast rule on how long your induction should be, but you can not fit all the necessary requirements into 20 seconds! It’s all in the engagement, tone and appropriateness of the content.

Repeatable security induction in under 10 minutes

A few months back, I aimed to induct new starters in less than 10 minutes, using a repeatable and engaging piece of content, and cover the entire infosec policy. With some creativity and willpower, I managed to deliver an induction programme in 7 minutes, and I wasn’t even in the room! But did anyone pay attention? The feedback was that the content was informative, clear and pitched at the right level.

And here it is… (an anonymised version with a lovely computerised voice)

https://www.youtube.com/watch?v=Vr_hy_5qh5g&feature=youtu.be

Covering passwords, phishing, data protection, social media, and eight other topics in just 7 minutes!

I hope you’ll agree that this starts your newbie off with the basics and has set the tone for how to reach the team and that security will work with you. There is no stick, just the right amount of information, pitched at the right level efficiently.

Ok, so what next?

You’ve started the two-way dialogue (of sorts) with every new face in the business. Don’t forget about the staff who’ve been around for a while. You can guarantee they have picked up some bad habits.

Setting the expectation that the security team has something valuable to say and are a part of the business, like everyone else, sets an excellent foundation of communication and awareness. Keep it going, keep engaging with the company, daily, weekly, monthly. And most definitely not just when you want something from them!

Cyber Security Awareness Month

October is National Cyber Security Awareness Month. Do something cool and innovative, not the usual phishing simulations. Teach your staff to pick locks, or some basic capture the flag exercises. Get your security team away from the safety of their screens and get them showing your business how cool and scary security can be.

Homework

Check out Verizon’s 2019 Data Breach Investigations Report for some interesting stats on motivators and causes. It’ll definitely help you identify the areas you should focus on with your security awareness programme!

Originally published at https://www.linkedin.com.