Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.
At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently.
The idea is for the security awareness people to:
- Find out what happened, to whom, when and how;
- Speak, discreetly, to the people involved or implicated in the incidents;
- Explore the consequences, both for the business and for them personally;
- Tease out the tips - lessons worth sharing with others;
- Share them.
Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.
Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?
So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:
"Find out about malware incidents from those involved, and share the lessons as part of your awareness program."While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.