As an increasing number of healthcare organizations work toward establishing and maturing cybersecurity and risk management practices to help insulate themselves against increasing risks from ransomware, phishing attacks, and other cyber incidents, October’s Cybersecurity Awareness Month is a great time to promote cyber hygiene best practices throughout your organization.
But, considering some 85% of all breaches involve some human element, would we be better served by extending this focus not just during one month of the year, but year-round? With a subject of this magnitude and importance, why not make every month a cybersecurity awareness month?
First, what is Cybersecurity Awareness Month?
Cybersecurity Awareness Month is an annual U.S.-based event that takes place each October. It’s sponsored by the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
Cybersecurity Awareness Month first appeared in 2004, created by NCSA and the Department of Homeland Security (HHS), and was initially referred to as National Cybersecurity Awareness Month.
Cybersecurity Awareness Month is designed to increase awareness about steps individuals and organizations can take to establish and mature cyber protections. This can include a range of actions such as implementing proactive steps that mature cybersecurity practices.
For almost a decade, the month’s theme was “Our Shared Responsibility,” but this year’s event theme is “Do Your Part. #BeCyberSmart.”
Both CISA and NCSA have provided a lot of helpful resources to help organizations draw attention to this important subject while offering guidance on how to implement practices that increase awareness and improve cybersecurity posture.
One Month, One Focus
Unfortunately, many well-intentioned organizations struggle with establishing and gaining momentum for cyber hygiene with events such as Cybersecurity Awareness Month. Often, they struggle to establish and build employee engagement and with a checkbox approach to events and activities, few successfully weave training and educational learning opportunities into their operational culture. It’s one month. One focus. One-and-done. And then forgotten until the next annual event or required training.
Where do they fall short? Some common pitfalls include:
- Static training is provided via videos or in-class sessions that lecture, but don’t engage.
- Many are limited in scope by click-through PowerPoint presentations.
- Few solicit and use employee feedback or focus on employee participation.
- Sometimes, the session is a one-and-done that tries to wrap up everything cyber-related in one session, causing confusion, lack of focus, and too much content to digest.
Even worse, many training and education programs regurgitate the same information-in the same format-year after year, leading employees to just go through the motions to complete a requirement without actually engaging or potentially retaining the information shared with them.
Some other setbacks happen when these programs:
- Fail to align training and education directly with employee roles and responsibilities. It doesn’t feel “real” or connect them to the day-to-day.
- Because cybersecurity is so vast, many training programs are long, drawn out, and too technical. Without understanding how it applies directly to the work they do, some employees see it more as a punishment or mandate, more than an opportunity to learn and improve.
- When these sessions are completely compliance focused, employees miss additional opportunities to connect and engage, creating a culture where the focus is on what’s best for the organization solely, and not individuals or their contributions to operational resilience as a whole.
Building a Culture of Cybersecurity Awareness and Action
So, if any of these challenges sound familiar to you, what can you do to break the monotony, increase employee engagement, freshen up your cybersecurity security awareness training, and create a culture where your employees understand how what they do contributes to cyber resilience and business continuity, and also create an environment where they understand and value the roles they play in ensuring your organization-and as a result themselves-are successful and protected today and in the evolving future?
Here are five ideas to help you increase engagement and make every month a cybersecurity awareness month for your organization:
1. Make It Fun and Interactive
Can you remember every word to your favorite song from your childhood but struggle with retaining something you just studied or practiced? Ever wonder why? While repetition may be key, so is the fact that you liked what you were learning and had fun doing so.
Take a similar approach to your cybersecurity awareness strategies. Gamify and socialize what you want your employees to learn and maintain. Consider creating a fun learning environment where you add game-playing components to your education processes such as competitions with other employees, point scoring and acquisition, and rules requirements and expectations.
Make your activities interactive and realistic. Consider games that include role-playing and other true-to-task activities that help employees put what they learn into action and get rewarded for doing so effectively. Find ways to reward the winners that fit with your employee culture such as some time off, financial incentives, or other recognition.
2. Make It Personal
Earlier, I mentioned some pitfalls when employees feel disconnected with training or don’t understand how it applies to what they do on the day-to-day. To overcome this roadblock, make your cybersecurity awareness training personal.
Develop personalized content based on employees’ individual roles and responsibilities, but also their awareness needs and individualized risk profiles. This training should be meaningful and demonstrate the impact it has not just on the employee’s work environment, but extend it into how it could affect your team members on a personal level.
3. Expand Your Scope
Another common challenge is cybersecurity awareness programs often re-use existing training materials. For many, that focus is on phishing simulation because it’s a common way organizations fall prey to cyber events. While you shouldn’t eliminate that focus, consider expanding the scope of your awareness training to include other ways your employees could intentionally or inadvertently contribute to or cause a security event.
For example, do your team members carry with them laptops, tablets, smart phones, or other portable devices that contain personal health information (PHI) or personally identifiable information (PII)? What would happen if an employee lost one of those devices? That impact might be worse for your organization than a phishing event. So, it’s important to educate your team members about the myriad of ways they might encounter an attacker wishing to infiltrate your organization and steal, destroy, manipulate, or encrypt your sensitive data and systems.
4. Consider Micro-Learning Opportunities
In addition to relevant, engaging training, consider leveraging learning and behavioral theory techniques such as micro-learning.
Micro-learning activities have a commonality-they’re brief! Instead of locking your team down in hours-long learning sessions, develop a range of micro-learning activities that build awareness and encourage employees to use and maintain what they’re learning.
For example, develop small learning units or short-term learning activities. Deliver these activities in short-bursts with limited content and allow your team members to study this material at their convenience. For example, you could send ongoing and informative text messages or short emails or display images such as posters or social media images that reinforce messages and education.
Short videos are also effective, as are concise audio recordings, tests and quizzes, and games such as quick on-screen challenges. Don’t forget about recommendation No. 1: Make it fun and interactive!
5. Build Engagement Through Other Events
To help make every month a cybersecurity awareness month, you could also tie in cybersecurity training and education to other events throughout the year. Here are a few opportunities where you can make the learning connections for your team:
- 28: Data Privacy Day
- March 31: World Backup Day
- May 7: World Password Day
- October: Cybersecurity Awareness Month
- 29: National Internet Day
- 14-20: International Fraud Awareness Week
- 30: International Computer Security Day
In addition to tying your education to these events throughout the year, you could also choose to create a specific topic related to cybersecurity awareness for each month. Here are a few to consider:
- Internet of things (IoT) and Industrial Internet of Things (IIoT)
- Cloud security
- Cybersecurity skills
- Cyber exercise
- Mobile and bring your own devices (BYOD)
- Safe user authentication
- Password hygiene and best practices
- Trends and issues
Need help building employee and executive engagement into your cybersecurity and risk management programs? Check out “5 Keys to Building a Cyber Risk-Aware Culture,” by Clearwater’s Founder and Executive Chairman Bob Chaput, which offers tips on how your healthcare organization can increase focus throughout your organization on being more cyber-risk aware. Have other questions or need additional support? Contact a Clearwater advisor today.