What is your organization doing for National Cybersecurity Awareness Month? We are doing several events, listed below, but I am curious as to what other organizations are doing so we can plan for bigger and better activities next year. Please feel free to share any experience about what worked or didn't work with your organization.
Shred Day: We are bringing a shred service on site to allow employees to shred papers. Additionally, we sent each employee home with a paper bag and instructions from the FTC about what papers they should get rid of at home so they can bring stuff from home to shred.
Guest Speakers: Our state's Attorney General's Office came out to do a general awareness talk. We ordered pizza and hosted it over lunch and had a great turn out. I highly recommend utilizing your state's AG if you need speakers on cybersecurity awareness. We are also having a member of the local FBI's cybersecurity team come out to speak with our operational security team.
Security Talks: We are hosting several departmental talks where our security team presents for an hour about security issues relevant to that department. We have a raffle for various organizational-branded prizes at each talk and everybody who attends an in-person event in October is entered for a raffle for an iPad.
Employee Communications: We are sending out weekly emails with information about the NCSAM weekly theme and some useful information relevant to our organization and that theme. Additionally, we put a quiz on our Learning Management System with two questions from each weekly email. Each week, we are doing a raffle for a Kindle Fire for anybody who took the exam.
We had several events at my company.
One that was effective was a trivia contest each week. Questions were as easy as "name the 1983 movie staring Mathew Brodrick and a computer" or "According to the FBI how much was lost in cyber crimes in 2016? A) 180 million B)1.3 Billion"
The questions were irrelevant the intention was to get employees engaged. Correct answers were entered into a weekly prize pool.
The idea that was the biggest hit was a stress ball in the shape of a fish that had the company logo along with the phrase "Suspect deceit? hit delete!"
I would have never dreamt that a stress ball would cause such a reaction. We gave them out to people who answered trivia questions and during an employee meeting the CEO brought up the topic and pulled a fish out of his pocket. We gave away all we had within 2 hours of that presentation. If employees put them on their desk and a single user thinks twice before opening a suspicious email then it's a win but I've heard several employees repeat the saying. It's becoming a catch phrase!
Make it entertaining and their attention will be on the message.
That was sort of our approach with the quiz - it was more to get people to think about security. We (inadvertently) set the quiz to require 80% correct to complete, so most of the people re-took it a few times to get a better score so they'd be sure they'd be entered for the prize and several of them told me they learned a lot by taking it a couple times and having to actually learn the material.
Our two biggest successes were the shred event and a guest speaker from our state's Attorney General's Office (which is free). The talk went well because it was right after Equifax, so a lot of people came and asked good questions. The shred event had a good turn-out as well and people thanked us for letting them bring in papers from home - which I told them they can do anytime with our shred service.
I'd definitely be interested in seeing a picture of that stress ball and knowing where you ordered them from. We are looking at doing InfoSec branded merchandise next year and it sounds like that was a big success.