Modern security awareness campaigns

We once put the following on our intranet, as a friendly reminder to people that they should change their passwords regularly. I am pretty sure it worked, because the volume of "I forgot my password" type helpdesk calls in the following 2 weeks was higher than average!

alt text


It's hard to put together one that works. It helps to have engaging content, and some rewards (eg run a simple quiz and give away something of interest). It helps to have influential leaders in your organisation actively promoting participation in the awareness campaign.

Microsoft have a toolkit you can download which has some ideas in it. Sophos released some material recently which also has good ideas. As do Symantec (as you mentioned) and most leading IT orgs, since it is a way they can slip in some marketing.

I've found the most successful topics for awareness are those that have immediate and clear benefits. Changing passwords regularly doesn't have obvious benefit for most users. Same with avoiding clicking online ads. But if these can be worded in ways that appeal to your audience then you're more likely to succeed. For example if you have parents, they will be sensitive to computer security advice that can protect their kids (oh and incidentally teach them good work practices too).

Regarding IT staff, security awareness seems to have less impact. Clear procedures and policy, good management guidance, and a culture of security are more successful, in my experience.