Strategy & Best Practices

Putting the “Awareness” Back into Security Awareness

By Erik Ginorio / January 6, 2014

Security is always a top priority here at AppDirect. Not only do we meet rigorous standards for security, including PCI compliance, but we also focus heavily on building security awareness, both across our company and the industry as a whole. That’s why this time of year is particularly interesting for the InfoSec team; we use it as an opportunity to overhaul our security awareness program and put a fresh face on important information that the larger team needs to pay attention to year round. So as we begin 2014, it’s a great time to ask: What are the key factors a security awareness program should focus on?

Of course, it all depends on what your company does and how it does it. At AppDirect, we write software, so one of our main focal points is on end users’ laptops. About half of the people at AppDirect work in an engineering function of some sort, so that means about half the company has code on their laptops. On top of that, everyone working here has email on their systems, and while the sales, business development, and executive teams may not have code on their systems, they certainly have confidential documents that we also want to protect.

So the challenge is this: How do you craft a simple security message to end users that actually makes an impact, instead of just causing eyes to glaze over?

First, figure out what your priorities are; in our case, we focus on protecting our intellectual property that’s contained on our laptops. Second, find the key issues you can focus on. For laptops, it’s protecting the devices themselves and the data contained on them. From an end user point of view, this means finding a simple, easy-to-digest message that anyone—technical or otherwise—can quickly grasp. Think of it as an “elevator pitch” where you only have a few seconds to get your point across.

I can’t stress this enough: Don’t get too technical or complex in your messaging. Seriously, keep it as simple as you can—a single idea, fewer words, more graphics. Simple.

How many times have you seen some overly complex poster that tried to explain some simple concept, but it looked more like a novel printed on a poster? Don’t attempt to explain why you need to use desktop encryption; the point should be to simply use it.

At AppDirect, we distilled our security messaging down to a few simple actions that make an immediate difference: use strong passwords, use a screen lock/saver, and be aware of your surroundings. These concepts aren’t too technical and they are not difficult to grasp. Not to mention the fact that doing these few things could mean the difference between keeping a laptop safe or having it stolen and its data falling into the wrong hands.

Once you have your messages down, presentation comes next; basically, how do you convey your message? Well if we take a cue from social media, infographics and memes have proven to be an effective way to communicate basic ideas. Utilizing that format, we created some tongue in cheek meme-like graphics. And they work. Everyone grasps the concepts, they are not overly complex, and they are something you can get from just a glance. Goal achieved!

After spending hours on Google looking for security awareness posters and images during this process, I have to say I was pretty disappointed. That’s why we had to make our own (below). But it begs a serious question: If we’re doing this to raise awareness, then why aren’t security professionals doing a better job sharing effective graphics and messaging?

Well, to buck that trend, we’re sharing the Photoshop PSD files for our graphics. Feel free to download (simply click the images above), tweak, and use to your hearts’ content. All I ask is that if you have some good ideas, for either messaging or graphics, that you share them with the community as well. After all, security is everyone’s responsibility.

Erik Ginorio is AppDirect’s Information Security Officer.