Having a strong user education program is an important, and often overlooked, aspect in cybersecurity.
With a little creativity and help from other stakeholders across your Institution, you can create an effective cybersecurity education program with a limited budget and staff. That’s the approach we took at Stevenson University, a private higher education institution in Maryland.
Getting Started. An easy way to start is to find existing resources, campaigns, and events that you can leverage, starting with National Cyber Security Awareness Month (NSCAM). NSCAM was established in 2004 and runs annually every October. The NSCAM website has lots of great resources, including posters, logos, videos and more: https://staysafeonline.org/ncsam/.
Another great resource is EDUCAUSE. They have a set of resources focused on cybersecurity awareness programs: https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/awareness-campaigns. EDUCAUSE also offers a strong user community and professional development programming that will expand your ability to share and collaborate with other Institutions, gather best practices, and communicate with your peers.
Lessons learned for those interested in starting or improving their cybersecurity education program:
- Keep the message simple and focused. Pick one or two behaviors or actions you want to see more of throughout your user community. At Stevenson, we focused on phishing, especially on mobile devices. We knew many of our users consumed their email via a mobile device and wanted to emphasis two key behaviors or actions for them to adopt: (1) Suspect it? (2) Send it!
We shared best practices and other tips for how to examine suspicious emails on a phone and created a new “phish bowl” email address for users to forward those suspicious messages providing that action-oriented “next step” for what to do if a message is identified as phishing.
- Find partners. There are some obvious choices, such as your Institution’s marketing team or cybersecurity faculty members. At Stevenson, our marketing team was eager to help by providing us a catchy slogan (Don’t Take the Bait) and some great complementary graphics:
However, there are other potential groups or approaches that can be quite effective. One is identifying and working with those groups that already have established events: flu shot clinics (health/wellness), athletic events (athletics or student activities), campus programming (many groups), etc.
Human Resources is another great potential partner. This group often provides ongoing professional development seminars that align well with cybersecurity education programming. Additionally, many other stakeholders welcomed us to their various staff meetings, office retreats, etc. More often than not, our users welcomed the opportunity for us to come to them with related content! We also created “pop-up” engagement tables outside heavily populated areas of campus with information, free resources, and takeaways.
Finally, don’t overlook students. Stevenson’s film students created a fun and informational promotional video in support of our education program, and our student government association invited us to speak with its leadership.
Using the very same user populations for which your program messaging is targeted, either as surrogates and/or partners, will strengthen your effectiveness and ability to reach across your Institution.
- Add some fun. Take the time and effort to brainstorm ways to add fun to your education program. Gamification often works well. Come up with an easy quiz with some funny answers and add some nice prizes. Social media is another great way to add fun and increase your communication.
At Stevenson, we chose to give out the Swedish Fish candy as a fun way to introduce our campaign. Our tag line was “Don’t Take the Bait, but take a Swedish Fish.” We placed the treats, branded tech gear stickers, and other takeaway items at our help desk offices, resource tables in common areas across the Institution and as well as at campus meetings and presentations.
- Keep it going. A final tip is to keep it going after your education program officially ends. If you’ve taken a thoughtful approach, then you likely learned a lot about how best to communicate with your audience over the course of your efforts and are primed to build on it throughout a year. Think about what worked and what didn’t, and then apply that in other ways that will empower and educate your user population on a continual basis.
User education for any cybersecurity program is a cornerstone and ensuring that those related efforts strike a balance between engaging, creative, informative, and timely will position you to be successful and strategic in accomplishing your biggest information security priorities at your Institution.
Brian currently serves as the Chief Information Officer at Stevenson University. Previously, he was the Chief Information Officer and Assistant Dean for Facilities and Information Technology with the School of Government and the Assistant Dean for Information Technology with the School of Law at the University of North Carolina at Chapel Hill.
Jim Bole has spent more than 15 years in a wide variety of cybersecurity activities: incident response, governance and compliance, risk management, security operations, education and awareness, and more.
Jim currently serves as the Director of Information Security at Stevenson University. Before cybersecurity, Jim had roles as a journalist, information technology infrastructure manager and Army Reservist.