Many security professionals probably give little thought to branding; they prefer to leave that fluffy stuff to the marketing team. But when it comes to security awareness, branding can add a touch of goodness to your efforts. (And if you want to know what this has to do with creamy pints of the black stuff, read on.)
Leave aside your feelings about the term ‘branding’. For our purposes, it just means coming up with a name and a design, and then applying that same look and feel consistently and repeatedly across all your security initiatives – whether that’s phishing training, ransomware alerts, password hints and tips, or policy documents. You can also apply the brand regardless of whether the message appears in an email newsletter, posted on the office noticeboard, or on key rings. It’s a way to identify a link between messages, so your audience knows they come from the same source.
Why are consistency and repetition important? Research tells us that repetition plays a huge part in embedding learning and persuading an audience (thanks science!). The psychologist Robert Zajonc developed the concept of the ‘mere-exposure effect’. This means that repeating a message makes people familiar with it, and, over time, they become positively disposed towards it. Experts believe people need exposure to a message from six to 20 times for it to become effective.
Reuse and recycle
The good news is, you don’t have to be an advertising guru to develop a simple, effective brand for your security awareness programme. For a start, you can use material you’ve already got. Even if your business is relatively small, it will probably have a logo with a chosen colour scheme and font. Use them!
Larger organisations may even have more formal brand guidelines that you can use when developing your own materials. Now’s not the time to reinvent the wheel. Reusing or refreshing existing material (and corporate colours) helps to keep your costs down. It also reinforces your security brand because you’re subliminally linking your efforts to the company’s goals.
Designed to engage people
Design is where you can let your imagination run riot. If you don’t fancy your artistic abilities, take the opportunity to involve others in the company. You could tap into people’s creativity by offering an incentive to design the logo. In some of my previous roles, I created a competition with a €50 voucher as a prize for the winning design. It was a really effective way to start engaging people even before the awareness programme began. And engagement is, ultimately, what this is all about: capturing interest and attention. Always remember you’re trying to reach a very broad audience. The IT team should be on board anyway. You’re aiming for everyone in the organisation from the receptionist to the CEO.
Another word on design. Obviously, you may instinctively think of an image or icon that relates to security. (Full disclosure: personally, I’m not a fan of padlocks. Aside from being clichéd by now, a padlock has negative connotations. If you’re going to the trouble of branding security awareness efforts, it should promote a positive message about security.)
The medium is the message
And speaking of positive messages, a tagline can help to reinforce the behaviour and culture that you want to encourage. In several organisations, I’ve reused the phrase ‘be vigilant, be safe, be secure’. I included it on any emails I sent, and on all other printed and online materials relating to security awareness.
I put a lot of thought into the words, even down to the order they appear in. It’s got a certain internal rhythm to it, which makes it easier to recall. It’s framed as a positive message, rather than ‘don’t do this behaviour’. The words tell the reader what I wanted them to do: to remember to watch out for bad stuff, and to take care to protect themselves. Only at the end do I introduce the notion of security, which is something that arguably matters to the company more than motivating the end user. (The subject of motivation is worth a blog by itself, and I’ll come back to this subject in a future post.)
The beauty about security awareness is that it needs relatively little investment to deliver a potentially large return. You can keep your costs low by using materials already in the public domain or within your own company. Why not reach out to your marketing team and see if they can help? There’s no shortage of websites and blogs (ahem) with useful free security tips. For example, ENISA’s website has free-for-use awareness material including video clips, posters, illustrations and screen savers. If your efforts are more focused on privacy, try the UK ICO’s Think Privacy website, which shares best practice on awareness-raising programmes.
Security is good for you
Branding’s power can reach far beyond the product it’s trying to sell. Think of Guinness and how hordes of tourists depart from Dublin with clothes promoting a product many of them don’t even like! Now that’s the power of marketing. Why not harness some of that good stuff to give your security awareness extra strength?