Who can believe that October and Cybersecurity Awareness Month is just over a month away? It’s likely that you and your team have been planning content and programming for your organization. If you haven’t, it’s no problem, there’s still plenty of time. As you look to finalize that programming, we’re writing this to provide a few ideas to add more fun to the month. Not all of these will be right for your organization, but we hope that this post might provide some inspiration.
Five Ideas for Cybersecurity Awareness Month
Tell Stories instead of Presentations
We’ve all sat through lecture-based webinars at work. Depending on the topic and the speaker, these can be dry. The point is for one person to speak to a large audience, which is not naturally engaging or relevant to any individual. By shifting the presentation mode from lecture to storytelling, it helps the viewer contextualize the purpose. We know there are some funny and interesting cybersecurity stories out there!
Pro tip: pick a funny storyteller!
Skits are Even Better
While stories bring security experiences to life, they also put the viewer in the past. Often stories are told in a way that makes the outcome or decision somewhat obvious. Sometimes it's better to play things out in real-time in front of the audience. Skits do a great job of putting the audience in the shoes of the decision-maker.
Pro tip: make it funny, but also make it relevant to your company. Also, get skit participants from different teams to collaborate on the content.
Games as Training
Now it’s time to get the audience off their feet and into action. Cybersecurity has done a great job of normalizing gamification.
When it comes to gamification in security, Capture the Flags, or CTFs, are the best way to put your people in the mind of a hacker. In terms of behavior change, there’s nothing that compares to participating in hands-on, real-world activities with your team. Outside of the hands-on component, the other great thing about CTFs is that they work for all skill levels. At MetaCTF, we have run CTFs for corporate groups ranging from accountants to experienced security engineers. Everyone can find a place in CTFs and it’s a fun and low-risk way to learn security skills and techniques.
Other games that work for Cybersecurity Awareness Month include cyber “Escape Rooms”, including this one by Living Security. These Escape Rooms can be great for non-technical employees but can be too elementary for experienced security professionals.
Pro tip: hire a company to run your CTF or Escape the Room, but make sure to assign someone in a “Project Manager” to lead it internally.
Resist the temptation to host company-wide webinars. Attendance will be poor and attention will dwindle. Take the opportunity to engage your employees with small-group activities.
Just as important as the activity is how you decide to create groups for the activity. Human nature makes us more comfortable with members of our own team, but your employees spend all day with their team members. Take this opportunity to mix it up. Cybersecurity is ultimately about human behavior and Cybersecurity Awareness Month is an excellent opportunity to get your employees out of their comfort zone and working cross-functionally.
Pro tip: Human Resources is constantly searching for ways to improve employee engagement, satisfaction, and retention. Get HR to help select groups for Cybersecurity Awareness Month activities and sell it as a way to better engage employees and introduce them to new people at your organization.
Incentivize with Unconventional Prizes
Incentivizing participation in cybersecurity programming has long been a challenge for CISOs no matter the company size or industry. If your organization doesn’t have a strong security culture, you might struggle to get your employees attention, even for Cybersecurity Awareness Month. But an effective way to incentivize participation is by picking good prizes. Most companies just hand out generic company swag or Amazon gift cards. Those are nice, but the point of Cybersecurity Awareness Month programming is to go above and beyond. Prizes for participation should follow that theme. Here’s a few ideas that could help drive higher participation:
If you’re looking for an easy option, a free lunch is a great incentive. If lunch is not something your company typically offers, have Chipotle cater your programming sessions. If you have a distributed workforce, offer a DoorDash gift card so remote employees can order in. Food is an amazing (and easy) motivator during the work day.
Offer to donate money to the charity of the winner’s choice. This will create positive buzz around the company - it always feels good to do some good! Everybody wins.
Audience Specific Prizes
The best way to stand out is to customize based on the prize recipient. For engineering teams, offer trips to conferences or access to security / training tools. Salespeople might prefer a golf outing or a happy hour. Your team knows your people the best - make it personal and people will be more excited to participate.
If your company can get it approved, it’s always fun to offer unique perks specific to your company like additional PTO days or Half Day Fridays. Some additional ideas include free HSA dollars, access to company seats for sporting events, or free parking passes (for those who still go into an office).
So there you have it. There’s five ways to make Cybersecurity Awareness Month more enjoyable for your organization.
Now that you’ve got a plan to make it more fun, here’s some overarching advice for how to make your programming this October a success.
Bring in the executives
Whether you like it or not, people follow their leaders. If individuals in your organization feel that the executive team is not on board with Cybersecurity Awareness Month content, they won’t be either. Get executives to buy in early and encourage management to express the importance of security awareness.
Make it relevant to your company’s systems and practices
Before presenting any content or activity, ask yourself “how is this relevant to our company?” If the answer is, “it’s not” then you should rework it. Human nature leads us to be interested in topics that are relevant and dismiss those that are not, especially in a work setting. Make it easy for your organization by making your Cybersecurity Awareness Month programming obviously relevant to your employees.
Don’t disrupt the day job (too much)
Sessions that take up too much time from working hours are not appreciated. Try to schedule no more than one session per day. The ideal cadence would be two or three sessions per week so that individuals have at least two full days of uninterrupted work per week. This will keep interest high without bugging anyone.
October is meant to be a fun month that’s fully dedicated to security practices. This should be treated as a foundation for the rest of the year. Remember, cybersecurity is not a single month activity - October is a time to generate interest, excitement, and awareness for the other eleven months. The best way to achieve your security goals as an organization is to start by knocking Cybersecurity Awareness Month out of the park.
Good luck and let us know if MetaCTF can help build that security foundation at your organization! Check out our Companies page for more information: https://metactf.com/companies