Building a security awareness programme¶
The goal is not to make everyone a security expert. The goal is to make the organisation a less easy target than it was before.
That means people who recognise a phishing email when they see one, know what to do when something seems wrong, understand why MFA is not optional, and do not plug in USB sticks they found in the car park. It does not mean people who can explain the difference between symmetric and asymmetric encryption.
Starting from nothing¶
If there is no existing programme, start with the basics that reduce the most risk.
Phishing recognition is the single highest-value topic because it is the most common attack vector and because training actually helps. Not perfectly, not permanently, but measurably. Start here.
Password hygiene and MFA adoption can be addressed in the same session. If MFA is being rolled out at the same time, pair the training with the rollout so people understand why they are being asked to do something new.
Incident reporting: people need to know what to do when they think something has gone wrong, and they need to believe they will not be blamed for reporting it. A culture where incidents go unreported because people are afraid of the reaction is worse than one where incidents are reported and responded to badly.
Data handling: who can see what, what goes where, why donor data does not go into a personal Google Drive. This connects to the GDPR obligations and to the shadow IT problem.
Format¶
Mandatory annual training completed via an online platform works for compliance. It does not work well for behaviour change. People click through to get it done.
Shorter, more frequent touchpoints work better: a ten-minute fun session at a team meeting, a brief bulletin with a recent real-world example, simulated and roleplay exercises followed by a brief explanation (not a shaming exercise). Monthly or quarterly beats annual.
For the volunteer population, the format needs to match how they engage with the organisation. A link to a sixty-minute online module/simulation/lab is not realistic. A ten-minute conversation, and a one-page reference card, is more likely to land.
Simulated exercises¶
Defender for Office 365 Plan 2 includes Attack Simulator.
Free alternatives exist (GoPhish for self-hosting, KnowBe4 has a limited free tier, and we can make our own in around two days). The value is not in the gotcha moment but in the measurement: what percentage of people clicked, who reported it, did awareness improve after training?
Run simulations regularly, not as a punishment exercise, but as a calibration. If sixty per cent of people are clicking simulated phishing emails, that is information you need.
Measuring and reporting¶
Track what you run, who attended, and what the simulated phishing click rates are over time. This serves two purposes: it lets you see whether the programme is working, and it gives you something to report to management that is more concrete than “we are raising awareness”.