Today we’ll pull from our archives to revisit how using news stories can help drive home security awareness points. Communicating workplace policies and procedures on information handling and current threats and scams can be a less-than-exciting topic for some. But when we examine the policies alongside the real-world consequences of poor security behavior, people pay attention.

Framing Security Awareness

In “You’re Not Teaching IT Security” from May 3, 2016, we discussed how end-users, namely employees, often think that security is the responsibility of the IT department—not theirs. In order for them to take ownership, security awareness must be framed as everyone’s responsibility. Everyone must do their part. Then, we have to define their part.

In truth, securing systems and access to those systems is IT’s job (or the infosec department if you’re lucky enough to have one separate from technology). But employees have to understand their role in using systems responsibly and how to handle (confidential) information within the workplace. This means letting people know which threats are out there, how they may be socially engineered, and how certain missteps could lead to a data breach.

Using Stories

So how do we get our users to understand the importance of using systems and handling information responsibly? As we discussed in “Use Stories to Introduce Awareness Programs” from May 17, 2016, security awareness programs can seem cut and dry. Turning to real world news events can make people feel like they have a stake, and in fact, a role in securing the workplace’s information and resources. Make the consequences to poor security clear and close to home. Take the workplace gift card scam, for example. Even though the average loss per consumer is less than $900, according to the FBI’s Internet Crime Complaint Center 2019 Report, if it’s your $900, you’re going to care! If you need some stories, check out our Cyber Roundups. The more closely the story relates to your industry, the better. People may dismiss stories that feature companies that a much smaller or larger in size, in a completely different industry, or based in another country.

When I read news articles about data breaches and disruptions, I’m often left wondering what people on the ground experienced as it was happening. That’s why I really enjoyed the ransomware story we shared in our post “A Particularly Good Tale of Ransomware” on July 19, 2016. This story told the perspectives of the technology coordinator, superintendent, and one school principal in the Cloquet, MN school district in the midst of a ransomware attack. Most people know the definition of ransomware. It’s malware that locks up files with promises to unlock them if you pay up. But they have less exposure to the full picture: how ransomware spreads, all the systems that are affected, and what it takes to recover. This story helps bring all the details into focus.

When you need to roll out, reintroduce, or kick off a security awareness program for the year, use the news to help you drive the point home. Your users will have the opportunity to learn from others’ mistakes, and you get buy-in for the importance of a security awareness program.