We know that we are constantly under attack from all sides: viruses, phishing emails, attempts to compromise websites, firewalls being probed for weaknesses… It’s just part of managing an IT department. IT professionals need to be vigilant of threats at all times. Everyone else, though, tends to go about their jobs unaware. Since many security incidents begin with our end users, a security awareness plan is critical (and if your organization is covered under HIPAA, it’s also mandatory).

In the IT Communication Plan, one of our scheduled communications is a regular Security Awareness communication that’s sent out every other month:

There is no shortage of topics to cover:

  • Identifying malicious email
  • Updates on new viruses and security threats
  • Reminders of security policies and procedures
  • Do’s and Don’ts for safe computing

One thing they all have in common is that they are fairly dry. So I’ve always done my best to keep these communications entertaining while also being informative.

Another tactic I’ve used is to make a game out of security awareness. I implemented an on-going contest for users to submit malicious emails they’ve received and identified. With each Security Awareness communication, a winner is picked from those who submitted. This accomplishes several things:

  • Users do a better job looking for malicious emails and not clicking on them.
  • Malicious emails that make it past our spam filters are brought to our attention.
  • The Security Awareness notices tend to get read a bit more because people want to see who won.

Sample templates

It’s important that your communications have a consistent format, and that they’re branded for your organization. That’s where templates can come in handy.

To give you an idea of what these emails might look like, I’m sharing four Security Awareness templates I created:

  • Security alert: ID badges and visitors
  • Security alert: Phishing emails
  • Security alert: Zip file dangers
  • Security alert: Password pointers

You can download the set of templates, copy what you need into your favorite text editor, and make any desired tweaks to the content and format. Then, just paste it into an email for distribution to the appropriate recipients. All these communications are intended to be placed directly in an email (i.e., they are not attachments) to make them easier to read (and harder to overlook).

As long as communication is kept on everyone’s minds — not just IT’s — you are getting the job done.