While IT teams play a key role in protecting unwanted access to internal data and systems, ultimately, employees are the gateway to cyber security attacks in organizations. Hackers know this and take advantage of it via ingenious techniques such as phishing, ransomware, etc. According to the Anti-Phishing Working Group, which tracks phishing globally, 2016 was a record-breaking year for phishing attacks with a 65% increase from 2015.

Building cyber security awareness and educating employees is, therefore, more important than ever. This article reviews Change Champions Consulting’s experience building a culture of cyber security awareness for one of our clients and how change management can help.

1. Treat your awareness initiative as a project

Isolated efforts to create awareness such as releasing a single memo or a set of eLearning courses are simply a waste of your organization’s dollars. Your goal should be instead to, progressively, change your company’s culture and introduce new habits to employee’s daily routine both at work and at home. You will achieve this if you treat your awareness efforts as a project: select a sponsor, assign dedicated resources, create a roadmap, and choose the activities that will be most effective at each stage.
2. Find and educate security ambassadors
Engage key stakeholders from across the organization to promote your message and seek support from their teams. Sponsorship is a major asset in building buy-in and is highly critical when a cultural change is at stake. Teach your ambassadors cybersecurity best practices (e.g., internet usage habits, suspicious emails) and prepare them to answer questions.
3. Be creative
Don’t be afraid to think outside the box. Look for creative ways to reach out to your employees. Here are some ideas: Develop an internal security site with tips and updates, create appealing visual aids, convey ideas using videos, craft talking points for managers, and hold contests. Convey the information with non-technical words and a light approach.
4. Leverage your organization’s existing knowledge
Find ways to “mine” the knowledge in your organization by encouraging employee participation. For instance, invite employees to share their own experiences and how they managed (or failed) to prevent a cyber security incident. Promote their contributions across the organization to create engagement and make the message flow from employees to employees.
5. Provide opportunities for practice
Complement your awareness efforts with opportunities to learn by doing. A great tactic for a cybersecurity awareness program is to launch an imitation phishing exercise. Conducted regularly, this exercise can tell you which areas of the organization need support or reinforcement. It also works as a valuable metric of your impact.
6. Partner with your key teams in your organization to spread the word
Internal communication teams usually have a good grasp on the most effective vehicles to share your knowledge. In some industries, Health and Safety or Finance teams are well established and have the organizational influence you need to get your message across. Leverage these teams.
7. Adapt when necessary
If you program encompasses many countries, make sure that the content you are creating is equally relevant to all locations. Collaborate with representatives from each location to understand the local culture and their needs. Translate the message to the appropriate language adapting the tone of the speech, as well as the images used, whenever necessary.

About the author: Agustin Del Vento
Agustin Del Vento is the founder and director of Change Champions Consulting, a change management consulting, training, and coaching firm based in Vancouver. As an ExperienceChange™ and Prosci® certified organizational change management professional, Agustin has more than ten years of experience in the field of change management.

Throughout his career, Agustin has delivered change programs and learning experiences for organizations in several countries including Canada, US, Germany, Singapore, Argentina, Chile, Venezuela, and Spain. Agustin’s clients include organizations in diverse sectors such as Finning, Western Forrest Products, BHP Billiton, Fortis BC, Goldcorp, BC Hydro, Suncor, Teck Resources Limited, Yamana Gold, STEMCELL Technologies, and Vancity.

Prior to founding Change Champions Consulting, Agustin worked with two of the world’s top consulting firms (Accenture and Deloitte) and, as a certified coach by the International Coaching Federation, he surpassed 500 coaching hours supporting leaders’ growth. Agustin holds a Master of Science in Psychology from the University of Victoria, where he specialized in face-to-face communication.