How to foster a safety culture

Consider combining traditional training media, such as computer-based learning modules and videos, with other techniques, such as short newsletters, posters, and interactive training sessions that include role-play exercises and group discussions. This combination is more likely to deliver the message and reinforce it throughout the agency.

Gamification techniques such as quizzes, brain teasers, and interactive scenarios can be helpful, as can incentives such as prizes or recognition for completing training. However, the most effective way to get people to pay attention is with real world examples, especially those within the agency itself.

For an executive to fall victim to a phishing attack can seem horrifying when it happens. However, telling that story (using the executive’s name to really drive the example home) is a great way to have a dramatic impact, which is the best way for people to remember something they’ve learned.

Engaging executive team members in information security education is not done to embarrass them, but to emphasize that security breaches can occur at any level. Leading by example, even a bad example, makes it clear to staff that cybersecurity is everyone’s business.

Incorporating a variety of methods and techniques makes information security training more interesting and engaging for employees. By doing so, agency IT and information security teams can increase staff engagement and improve the effectiveness of their training programs, while making everyone more aware of and alert to cybersecurity issues. possible attacks.

LEARN MORE: How agencies can comply with GSA standards and protect email backups.

Agencies should conduct preparation exercises

Preventing information security breaches is obviously the number one goal, but having a culture of security also means being prepared when a real problem occurs. IT and information security teams will be the first to respond in such a case. However, involving staff in regular exercises will help keep everyone’s focus on information security. Reporting suspicious activity is in everyone’s job description, so it’s important to test these reporting channels regularly.

One common method is to perform a covert phishing exercise. Running a phishing simulation, in which agency staff receive fake phishing messages, offers three benefits:

  1. Seeing phishing messages appear in your email will help staff members to recognize these types of scams. It’s one thing to be told to “watch out” and quite another to find a phishing message in your inbox.
  2. A phishing exercise tests the agency’s alert systems. Did staff bring these messages to IT’s attention? How long did it take between the phishing attempt and the response from the security operations center or network management team?
  3. The exercise will identify which employees need additional training or help in identifying phishing messages.

Other preparedness exercises include red/blue team or tabletop exercises, which simulate security incidents and guide staff through threat identification and response. Most staff will assume that the lion’s share of the response should fall to the IT team, and perhaps it does, but when a security incident occurs, everyone in the agency has a role to play.

These types of exercises can supplement the information security equivalent of a fire drill: a test run of the agency’s incident response plan. An IR drill helps everyone, from senior management to customer service staff, understand what they need to do and how they will continue their work if a serious incident occurs.

EXPLORE: Establishing a unified zero-trust approach starts with existing technologies.