Best Practices for a Successful Cybersecurity Awareness Month: Webinar Takeaways & Recording

Cybersecurity Awareness Month is right around the corner this October and we were thrilled to have an all-star panel of security awareness program experts from Equifax, Sony and Workday at our webinar on August 30th, 2022.

• Missy Bentzen - Senior Information Security Program Manager at Workday
• Kattia Solano - Security Service Delivery & Enablement Lead at Equifax
• Jacob Revord - Manager of Information Security Awareness & Training at Sony Pictures Entertainment
• Jennifer Kinney - Senior Client Strategic Advisor at Living Security
  

• Use contests & gamification to boost employee engagement - Cybersecurity training doesn't have to be boring. Make it fun by hosting contests and give away prizes to incentivize participation and engagement
  
  • As Missy Bentzen notes, "Host a phishing contest. Have your employees give you ideas for what your next phishing email could be for the company. There's a lot of different things that you can go outside the box and even the online PowerPoint presentation tools to take that and make it security oriented. It just takes getting a little more creative, but it's really helpful to still make cybersecurity awareness month engaging and interesting, even when you don't have a large budget to work with."
• Tailor your approach to different audiences - Different departments and regions will respond or engage with cybersecurity training in different ways. Gather feedback across your organization to find the approach that works best for each group.
  • As Kattia Solano notes: "The only way that you can bring about change in  behavior is to keep learning what's working and what's not across your organization. Take that feedback and modify your cybersecurity training program to provide a variety of different topics & approaches based on the risk behavior that you really want to address and the type of training that has proven to be the most successful for each group."

• Prioritize on making the training fun & engaging - How can you make someone care about participating in your cybersecurity training program this October and extend that engagement throughout the year? Have fun with it and get creative.
  • As Jacob Revord notes, "If we focus on engaging and creative and exciting content in October and then use a similar approach throughout the other 11 months of the year, then we can continue that engagement without trying to force ourselves into everybody's life as quickly as possible. Also, make a concerted effort to embrace the hybrid work environment and make any in-person training content also work in an online/virtual format, and then you can have competitions between the physical and the virtual teams."

Read the full transcript below:

Jennifer Kinney:

All right, everybody. Thank you so much for joining us today. My name is Jennifer Kinney. I am the senior strategic client advisor and the community facilitator for Living Security. And I know that today's topic is probably top of all of our minds because it's almost September, cybersecurity awareness month. I find it incredibly helpful and impactful to hear from colleagues and other industry experts to help tackle this time of year. So that's what our goal is today is to help inspire you and hopefully give you some ideas to make cybersecurity awareness month a great success. I know that our employees are juggling so many priorities and are exposed to so many important corporate efforts. It can be more and more challenging to secure engagement in the hopes of managing human risk. So our panelists today are going to help us do just that.

Jennifer Kinney:

To keep things interactive. We will have a few polls throughout the presentation, and we're also going to save some time at the end for Q&A. So feel free to add yours to the Q&A, and we'll get to as many as we can before the end of the hour. This presentation will be recorded and transcribed, and the recording will be sent to everyone who registered, hopefully by tomorrow or the next day. And two more quick items, we will be raffling off two DoorDash gift cards if you do engage or ask us a question. And also all of our webinar recordings can be found in the resources section of our website. So if there's something that you feel like you may have missed today, if you've got a call or something and may have missed something and want to check it out, you can visit the resources section of our website. And we also have a great repository of some of our past webinars, like successful phishing simulation programs and scams, and all kinds of good things. So check that out to see if there's anything else you might be interested in.

Jennifer Kinney:

Okay. The panel today is from Sony, Workday and Equifax. And I would love for our panelists to do a brief introduction of themselves before we get rolling today. Missy, would you like to introduce yourselves?

Missy Bentzen:

Sure. I'm Missy Bentzen. I am at Workday and I've been working in security awareness for about eight years now and planning cybersecurity awareness month for about seven of those years.

Jennifer Kinney:

Thank you so much. How about you, Kattia?

Kattia Solano:

Good morning, everybody, or good afternoon, where you're coming from. My name is Kattia Solano. I am the security service delivery and enablement lead at Equifax. I have almost 10 years in the security environments and cybersecurity awareness traiing. Also, II have almost five years working on Cybersecurity Awareness Month and every single year it’s my job to be creative to make sure to make changes to boost activity and engagement. So welcome everybody.

Jennifer Kinney:

Thank you so much, Kattia. We're so happy to have you. 10 years is a good long time in this industry too. And Jacob?

Jacob Revord:

Thanks, Jenny. My name's Jacob Revord at Sony Pictures. I've been working within cybersecurity and information security specific fields for about 13 and a half years, specifically within awareness and training for the last 10. I've been working with cybersecurity awareness month, realistically the last five to six years.

Jennifer Kinney:

Okay, great. We've got a lot of good experience here. I've been working in cybersecurity. Well, since 2016 and did cybersecurity awareness month in some former fashion every year. And so Jacob, okay, you're from Sony and so you've got this really cool background. Tell us what's all behind you there?

Jacob Revord:

There's a Spider-Man backdrop. I was 10 years in the military and every backdrop is very drab. And so when I left the military, I wanted to have the podcast feel. When you look good behind you, feel good in front of you-

Jennifer Kinney:

Absolutely.

Jacob Revord:

... and you walk a little more better.

Jennifer Kinney:

Okay. Well, it looks great. I mean, ours is pretty snazzy too, but yours is something special. You don't have to be one of us today.

Jennifer Kinney:

I wanted to give everybody on the line, just a quick history of cybersecurity awareness month. I did not realize how long it's been around, I was thinking it was about 10 to 12 years, but actually it has been around for 19 years. Every year since... Oh gosh, I just gave him the answer, Charlotte. But every year since 2003 actually, it's been an effort that's been brought to life through a collaboration between the United States Department of Homeland Security and the National Cybersecurity Alliance. And this month was created to ensure that every individual stays safe and secure online. It's a big call to action to get that to happen, isn't it? And if you've been around a while, you'll notice that last year, the N for national was dropped. We used to call it national cybersecurity awareness month, but since it's morphed into such an internationally recognized event, now it is just cybersecurity awareness month. So we can welcome everyone globally to this important month. Okay, are you guys ready to get started?

Jacob Revord:

Yeah.

Jennifer Kinney:

Okay. Okay. Fantastic. Okay. My first question for you is a rather broad one. We'll get more into the nitty gritty details here in a bit, but what works and what doesn't work for you in general during cybersecurity awareness month? What are some lessons that you've learned along the way?

Kattia Solano:

It's really important when you are going to design and plan the CSAM, that you do it in advance, but it's also really important to know your audiences, the regions, the culture, the languages, and also find stakeholders that work together, like in our corporate and regional security teams or a business unit that is going to help you to understand the audience so you can engage and try to making sure which is going to be the events that you're going to add and include. And of course, which is going to be the risk behaviors that you really want to address to making sure that it's going to be a meaningful in the participation, and we can drive any change on behavior in the future.

Jennifer Kinney:

Exactly. We're not just trying to sell smiles, although we want to do that, we're not just trying to make people smile and entertain them. We're actually trying to educate them and encourage more secure behavior. No, that's great. Yeah, making everything action oriented and appeal to different cultures, that's important. Anybody else have any tips for this?

Jacob Revord:

I think among everything else, our primary role is a storyteller and trying to react to people's why should they care and figure out what story's relevant for that use case? And so it's figuring out what stories are impactful for the year, for that month, what you can carry throughout the year that makes more of an impact than just the one off training, the one off webinar that doesn't really have a meaning to somebody's, either home life or work life.

Jennifer Kinney:

Could you give us an example of a story that you've told?

Jacob Revord:

Well, the primary way I go back to it when I was in the military teaching people to do internet security on subnet and how to set up. I was teaching explosive ordinance disposal techs how to do advanced networking.

Jennifer Kinney:

I mean, who hasn't? Who hasn't taught that, Jacob?

Jacob Revord:

Well, they're historically the big strong military guy that doesn't know anything about network topology and trying to get them to appreciate the fact that the networks they're working on need to be secure. They don't care/ but what they do care about is the person they're standing beside and the person they're going out with. And relating the fact that the networks they're creating allow those people to stay safe and allow the information to get back in a timely manner so that their friends that are about to go out can do it safely was something that was more impactful to them than anybody who had tried to explain it previously.

Jennifer Kinney:

Right. So you just really need to speak to them where they are and give them the why behind it?

Jacob Revord:

Exactly.

Jennifer Kinney:

Okay. That makes sense. Help them care, help them make it relevant to each person?

Jacob Revord:

Yep.

Jennifer Kinney:

Okay. That makes sense. Thank you. Kattia, you were touching on this a little bit, but one of our challenges and our roles as program owners, and one of my roles here at Living Security is to really think about all of the different age groups that we have to appeal to. There's different technical skill levels, like Jacob, you have such a technical background, and then you have people who may not even be that comfortable checking email. It just depends on... And you have to appeal to everybody. It's such a challenge. There's also different job seniority. Executives will have a different viewpoint and they have different goals and maybe somebody in customer support. So it's such a challenge, in my opinion, to appeal to everyone, especially during this month where you really are trying to appeal to everyone and get people to change across the board. What do you do to really reach these different age groups, skill levels, seniority, et cetera, during October?

Kattia Solano:

Yeah. I-

Jennifer Kinney:

I also to know what are the most challenging groups that you've had to work with and how you can influence them?

Kattia Solano:

... Yeah, definitely. I think that every single year that we work and we planned, and that is that really good thing that you need to know, that every single activity is really good, that you can track participation. We can track, which is their feeling or the experience that they have, because the next following year will be able to know we have more engaging in the speaking series, the executive, the managers. The people also for call center, they really want to know about this key engaging and speaking series. So we just try to get in a different levels of knowledge of the different speaking series and the daily life things, but at the end, security needs to be part of our lives 24/7. That's why I really want to making sure that it needs to be part of our lives.

Kattia Solano:

The other things that we need to consider is that working in a global company, you are not be able to know right now how the communication works for each region or business unit. That's why it's really important that you work closely in advance, in the planning communication plan and the marketing and how you are going to engage with those specific audiences, making sure that you are going, or that specific team in that region is going to pick which specific activities. People like gamification. The only way that you can bring a change and behavior and keep the learning is based on experience. That's why the people love escape room in different levels. The speaking series, different levels. And also the training series, because sometimes they are too busy that the only way that they can participate is doing by their own and they enjoy it. So that's why we really want to bring a variety of things based on the risk behavior that we really want to address. And then each region or business unit is going to help us to address that effort to making sure they're engaged.

Jennifer Kinney:

Absolutely. Yeah. I agree with that. And that's why we do offer so many different things for the different audience members. You were men mentioning the virtual escape room that everybody seems to enjoy, and I've noticed that as well. But yeah, and then training for people who aren't able to commit to one 30 minute time period a day, that completely makes sense. Has anybody ever had an issue with humor not landing well, maybe with one culture or something like that? I've seen that in the past. Or I did a poster that I thought was hilarious, but there was one group that did not understand it at all. Did not get it at all. Has anybody ever experienced anything like that?

Jacob Revord:

I think anybody that's worked in any global company has experienced that. That's one of those... Things that you think are hilarious in your own language, even just the translation, sometimes is horrible on the other end.

Jennifer Kinney:

Exactly. One thing our audience can take away is, if you have any inkling that you think this may not land in a different language or with a different culture, check with somebody local there and to ensure that the message is going to get across correctly. Because the last thing you want to do is alienate anybody.

Missy Bentzen:

And even along those lines, Jenny, there's also just words that may not be the same in different cultures. So having to be mindful of just terminology that you're using. I've learned, I think one time I was making some comment or an analogy to a Q-tip and that didn't resonate over in other countries because they call it a cotton swab.

Jennifer Kinney:

Oh yeah. Okay.

Missy Bentzen:

It's definitely thinking about the terminology and running by some of your campaigns or messaging with other countries or contacts just to help make sure everyone understands what you're trying to deliver in your message.

Jennifer Kinney:

Yeah. It looks like the chat is up and working now, Charlotte, thanks for getting that going. And it looks like Marcy was saying some things also won't go by HR. So you do want to run everything by HR in case you get in trouble. We were just doing a translation for one of our training modules into Japanese. And we had referenced cyber hygiene, which, to English speakers, we've just been saying that for the past few years and we think the analogy works, but it didn't work. It just didn't translate correctly in Japanese. My gosh, I can completely see that. Hygiene can just be personal. Anyway, those little turns of phrase sometimes don't always translate.

Jacob Revord:

I think the one thing that we forget about is that October's not the only month in the year and we try to fit every skill level, every age group, every role and responsibility into the month of October, which waters down the impact that we're going to have overall. If we focus on engaging and creative and exciting content that we vet and then worry about that specialized focused awareness and training throughout the other 11 months of the year, then we continue that engagement without trying to force ourselves into everybody's life as quickly as possible.

Kattia Solano:

Yeah, I totally agree.

Jennifer Kinney:

No, that's a great point.

Kattia Solano:

Yeah, I totally agree with you. And that's why one of the things that the cybersecurity awareness month is just a full month of events, but we don't just create a lot of engagement in a community and we do not be able to lose that track, that passion, that continuity. That's why it's very important to continue moving forward, like by quarterly or you are be able to do any other things so you can continue moving on and increasing the engagement. Yes.

Jennifer Kinney:

And have any of you ever had a challenging group that you were able to influence for the better eventually? Like it started off as a challenge, but you were able to get them to come around and influence them?

Kattia Solano:

Yeah, right-

Jacob Revord:

I think the one thing-

Kattia Solano:

... I'm sorry.

Jacob Revord:

... I was going to say, the one thing COVID taught us is that we were drastically under representing the remote workers. Because we didn't realize the needs and the desires of somebody who works at home full time. And being forced into that environment gave us a very clear understanding of what works well and how quickly you could get tired of Zoom and videos and webinars that are put out by the company.

Jennifer Kinney:

That makes a ton of sense. And I'm sure it also opened your eyes to the broad spread vulnerabilities that we have working from home as well, that you may not have considered before. Yeah. Very, very interesting. Okay, Jacob, you're getting some thumbs up in the chat spot on there.

Jennifer Kinney:

Okay. I wanted to talk about the Benjamins. Through the years you may have experienced years where you had no budget. You may have experienced years where people are like, "Okay, we're going to throw some money at this. This is an important effort." And we have clients at Living Security that fall into lots of different columns when it comes to budget. So we try to do our best to guide them to do the most with what they have, if they're in that situation. I would love to hear how you plan and manage cybersecurity awareness month when you have a good budget or when you don't have a good budget? If you wouldn't mind sharing some experiences there. Missy, I think maybe you—?

Missy Bentzen:

Yeah, definitely. I've definitely been in the no budget world and budget world. When I first started doing security awareness month, I had zero budget or very, very limited budget. And you have to just get creative. I think a lot of people that don't have budgets are really looking for more ideas on things they can do, so I'll focus a little bit more on that. But when you have no budget, starting to get creative with things that you can find and turn into something a little more interesting. One of the things that I like to do is share word puzzles. I have cybersecurity word searches, crossword puzzles. I have a Sudoku, but it's using the word security. So you're filling in all the little boxes with the word security. I know it's not nine letters, so there's just a bonus square in each one. Things like that.

Missy Bentzen:

But there's also a key part to not having a budget and being successful is partnerships with other teams. You may be the one and only security awareness person at your organization, but you can rely on other parts of security. There's security engineering, there's threat intelligence, there's your SOC. What you could do is have a day of just introducing everyone to cybersecurity or hosting a panel discussion, letting people meet your security organization. One of the things that I found very successful was doing an open house of our SOC. People want to know what goes on behind the scenes. They're interested, "What's behind the door? What's on all of those monitors that they're looking at?" And of course our monitors were very limited in what was shown that day, but there's a lot of key partnerships that you can evolve.

Missy Bentzen:

And when you work with those other teams, they have ideas, they have things they'd like to do. We've hosted a live demonstration of a phishing attack. What's really going on when somebody's receiving an email? And what they see versus what the criminal sees. Then there's also things like having a live wifi attack. So having someone choose to connect to a wifi and ultimately what's being seen on the other end, when somebody is that man in the middle getting access to their connection. There's a lot of things where it's really helpful to partner with the other teams within your organization that may have some of those skills that you may not necessarily have and help fill that gap for you.

Missy Bentzen:

Another thing that was very successful, if you have a phishing program, host a phishing contest. Have your employees give you ideas for what your next phishing email could be for the company. There's a lot of different things that you can go outside the box and even the online PowerPoint presentation tools to take that and make it security oriented. I know Living Security had provided one that was Security Feud. That's a lot of fun. People really enjoy that. I've hosted that a few times. I've created some other in-house games with PowerPoint presentations. It's just getting a little more creative, but it's really helpful to still make cybersecurity awareness month engaging and interesting, even when you don't have that budget.

Missy Bentzen:

And if you have a very limited budget, maybe just doing some raffles for people attending or engaging. I like to even do some swag bags for people for just participating. So 10 people that participated during security awareness month, get a little swag bag or maybe a little gift card. There's a lot of different things that you could think about. I wanted to hone in on that no budget component to help a lot of people maybe generate some ideas there on which you could do to be a little more successful in that area.

Jennifer Kinney:

I love that creativity, Missy. Yeah. We had, one time one of our members of the SOC did a password attacking demonstration. I just love live demonstrations because it's almost like a movie. Everybody likes the cybersecurity movies and everything and true crime. So just showing the anatomy of a phishing attack and how you can spoof an email address. All of that can be really interesting to our employees. Another time somebody from our email team showed somebody how easy it is to spoof a domain name and that type thing. I think when you get into that, it can make it just really hit home. These are real life examples, this is what's happening and you don't have to be any kind of brilliant technologists to do this. You can be 15 years old, download free software and do a password reverse hash attack. It's very simple. So that can be eyeopening.

Missy Bentzen:

You just reminded me of something else I did, that even though I'm at a company with a budget, but I still did a no cost activity where I hosted a matinee, a movie matinee. So cybersecurity themed movies or TV shows, just pulling in.

Jennifer Kinney:

How fun.

Missy Bentzen:

So having people come in for the afternoon to view a cybersecurity related movie and I provided some popcorn and candy and snacks. It's still a little budget, but it's low cost.

Jennifer Kinney:

Exactly. Low cost, but lots of fun.

Missy Bentzen:

Yeah.

Jennifer Kinney:

Yeah.

Jacob Revord:

I think that, along that line, Missy, the primary thing for us has always been demystifying information security teams. Because if people don't think you're a real person, they won't come talk to you about problems they have. But for instance, three years ago, we ran a physical escape room based on Zombieland, and I stood on the studio a lot as an Elvis zombie killing character. Full Elvis garb, everything.

Jennifer Kinney:

Again, who hasn't, Jacob?

Jacob Revord:

The key takeaway there was people for 18 months would message me, "Hey, you're the Elvis guy, right? I saw something at the studio. I heard somebody say something." It amazed me the amount of people who didn't think they could talk to their cybersecurity team about cybersecurity problems, because they'd never actually met the person. So demystifying and putting a face to that program and just getting your team out there, it almost doesn't cost anything. Doing a weekly webinar with a different person on the team and explaining their roles and functions will go light years to create engagement and awareness of the different facets of cybersecurity.

Kattia Solano:

Yeah, that's true.

Jennifer Kinney:

The biggest goals, I think of October too, can be to really put the face with the name and get to know each other so that people do feel comfortable. It is a time that we can do that instead of just doing annual training, pushing annual training in January, and then being like, "Got to get it done. You got to get it done." Kattia, did you have something to say?

Kattia Solano:

Yeah, I'm just adding with Jacob, one year we did also in an escape room, in a local escape room and we were amazing, the people were looking for another extra day to enroll. And people love about that. And was really in a low, we just go to buy in a different things. And we had in a room, in a big room, the different clues that they have to resolve and was really amazing and it's another an escape room series, today you can create it by yourself. It's amazing. And they got a lot of engagement too. And security field also, we ran it this year in Costa Rica locally. It was amazing. And we ran it in a big area room during the launch time. So they have the different teams working there, but the people doing the line in the launch, they will be able to see and participate and we got a lot of engagement. And this is really important to have the security field virtual, but doing locally? Oh, it's caused a reaction and a real engagement too.

Jennifer Kinney:

Those are great ideas. And I think we might have to make a list of this stuff. This would help everybody too.

Jacob Revord:

I was going to say, it may be wise to make a blog post about the different ideas that are—

Missy Bentzen:

Yeah.

Kattia Solano:

Yeah, definitely. Yeah, definitely.

Jennifer Kinney:

And this will be recorded and transcribed everybody, so you can go back and review. Yeah, okay—

Kattia Solano:

And it's really important to see what is trending, which game is trending, which other thing in a program. Like right now, the fortune wheel this year, oh, Equifax is going to have something fun that is going to be related to the, I don't know, the fortune wheel, that we are going to have a game that is going to be really good. So this is something that we're just trying to see, which is in the loop right now in training that we can create a really good activity? That is really good.

Jennifer Kinney:

... Okay. We're getting some questions and chat that we're going to address in just a minute about remote workforces. We're going to talk about that guys, in just a few minutes. But first I want to talk about, okay, we talked about some great ideas that were low cost, now how about when you have a budget? What can you do then?

Jacob Revord:

... Working at a movie studio, everything is always a high budget production. And coming in the first year, we didn't have much of a budget when we first started running these. And so everything was bootstrapped. I was making props and creating my own backdrops and getting people on the team to help volunteer to be characters and games. And it was a very bootstrapped program. Once we got people to realize how effective the program could be, then we got a little more money. And once you get a little more money, it's not necessarily about changing what works. It's about making what works more impactful and more memorable and more engaging. The first year we had our escape room, we ran it in an office space. The next year we took over an entire building and made a full on zombie apocalypse set in front of one of the buildings. For anybody that knows Drew at Living Security, you can ask him about it. It was epic.

Jennifer Kinney:

Drew's our co-founder

Jacob Revord:

Yeah, and I don't think you don't have to necessarily do anything different. Just take what works and grow it. Make the content more high quality. Get more outside resources that allow you to expand it regionally or remotely. Take the ideas that work well in person and work with people who help you expand that to a virtual format. One of the things that we're doing this year is an InfoSec arcade, where we're taking in making '80s themed arcade games and running it at a happy hour. But then also doing that online and in a virtual format, where people can play and we'll have competitions between the physical and the virtual teams. Yeah, growing what works well with the money you get ,not trying to do more with the money.

Jennifer Kinney:

And I find too, when it comes to speakers, sometimes speakers are charging a lot of money these days. Every time we pay a speaker, I'm like, "Man, I'm doing it wrong. I need to be getting paid $20,000 an hour." But with more budget you can get some more engaging speakers as well. Anybody else, once you... Missy, perhaps once your budget grew, your creativity I'm sure did not stop, so let us know what else you were able to do with more with money?

Missy Bentzen:

Yeah. Once there was some budget, the things that I have found most successful, of course is swag and raffles and prizes. Those definitely get people interested, engaged. Last year... well, I guess the last couple years, we used Living Security CSAM package and we had the gamification going on. So every single week we had new prizes or new raffles. And that was where some of that swag bag comes in. So people that were like, "Oh, I'm not getting anywhere," because they can't stay at the top of the scoreboard to win a big prize. But we're giving out the participation award. Join in. You don't have to be the top dog, we can give you a swag bag just for playing. And-

Jennifer Kinney:

What-

Missy Bentzen:

... Oh, go ahead.

Jennifer Kinney:

... I was just going to ask, I get questions a lot like what kind of swag do end users want these days? What's some of your more popular items?

Missy Bentzen:

T-shirts are always a big win, although that's a big ticket items, so we don't go with the t-shirts too often. We have spanned all over the place with swag. I've had clickable message pens that I think are really cool to have. So as you click the pen to turn it on, it rotates with a different security message in the barrel.

Jennifer Kinney:

Oh, that's cool. I love that.

Missy Bentzen:

That one's really good. I also used that again, I brought it back around for our return to office. We had these clickable pens in all of our offices as people came back. So they would have a security reminder, more or less. And if you have monitors around your offices, trying to tap into those and put security reminders on those monitors. I recently added the reminder to lock your screen when you step away. Because we've all been working from home, but now back in the office and how often are you locking your screen when you step away at home? But you have to when you're in the office. I just veered away from the budget question there a bit.

Jennifer Kinney:

That's okay. That's all relevant.

Missy Bentzen:

Yeah. But basically it's really what do they get? It's always the what's in it for me that I think is always valuable to think about. Yes, there's the information we really want them to take away from it, but gearing the topics as we've been saying a little bit, or not even a little, a lot, is that personal nature. So the what's in it for me is always having that personal touch. How are they learning and applying this information in their personal life, and then they're more inclined to attend and participate. But then there's the, what's in it for me of tangible. So there's the information, but then there's the tangible, so am I going to get a prize? Or even the bragging rights sometimes.

Jennifer Kinney:

I know.

Missy Bentzen:

You I don't always have to have prizes. Bragging rights are pretty cool.

Jennifer Kinney:

I love a digital certificate. It makes me feel like a kid again, like, "Oh cool."

Missy Bentzen:

Yeah. People put those up in their cubes.

Kattia Solano:

It's nice. Yeah.

Missy Bentzen:

There's a lot of interesting things there.

Jennifer Kinney:

Kattia, did you have anything to add?

Kattia Solano:

Yeah. The other thing that we use is that we have an internal bravo points that you would be able to redeem, because we are global, you'll be able to redeem with the different things that you can do. But one year, what we did also as a big prize, we have a Nintendo Wii. And we have really technological things and the people were crazy about those things. Like, I don't know, the Alexa small thing and all this stuff. And we would be able to have those prizes and it was amazing, they increased the participation that year and the people were crazy, "Oh, what I need to do in order to get the Nintendo Switch?" And all kind of technological swags that we have. So that's really good.

Kattia Solano:

And for the regional thing, in order to making sure that everybody will be able to participate at these things, they will be able to redeem with the things that they can have in their own region. So in that case, we will be able to give them-

Jennifer Kinney:

That makes sense.

Kattia Solano:

... there is points, so they probably can choose what they want. So it's also really good.

Jennifer Kinney:

Yeah. I've gotten into trouble before with something that I would have to ship across the pond for our community, which I'll tell you guys about in a minute, if you don't already know about it, but I did Yeti cups and—

Kattia Solano:

And the shipping is expensive. You're like, "Oh my God."

Jennifer Kinney:

... Yeah, I was like, "Oh, okay. So this was a $40 cup that I have to pay $120 to get to my-

Kattia Solano:

It's crazy. That's right. Yeah.

Jennifer Kinney:

James, I'm sorry you don't have your cup yet, if you're here. But, you do have to consider all the-

Missy Bentzen:

Jenny, I did just think of one other swag item that has been a huge hit that is not super expensive, and it's data blockers-

Jennifer Kinney:

I love those. Yes.

Missy Bentzen:

... that you attach to the end of your phone charging cord. Well, I should say they're a huge hit once people understand its purpose. At first they think it's a USB-

Jennifer Kinney:

Flash drive.

Missy Bentzen:

... yeah. Or a flash drive. And they're just like, "What is it?" But as soon as you explain what it is, people just take it by the handfuls if they can. So data blockers are definitely a huge hit to prevent juice jacking. I always love that terminology, juice jacking.

Jennifer Kinney:

I love the swag that also has a little lesson behind it.

Missy Bentzen:

Yes, absolutely. Absolutely. And I did learn my own lesson with it though. The first time I got them, I didn't have anything on it to explain it. So my second time ordering them, I had them put in a packaging that explained what it was. So that way they had it as a takeaway to understand it later.

Jennifer Kinney:

Yeah. I had to do the same thing. You have to explain what it is. And if you guys on the line don't know what we're talking about, this is just a little thing that you can plug into your USB charger. And then when you are at a charging station, if you're at a hotel room, airport, whatever that has the free USB charging stations, you can put it in and it won't take any of your data. You get the juice, but it can't take any of your data. Pedro, just put an example there.

Jacob Revord:

I always thought-

Jennifer Kinney:

Yeah, I love data blockers. They're cheap too.

Jacob Revord:

... Juice jacking always reminded me of an '80s body builder. And I always thought it'd be cool if you had a little icon of an '80s body builder with a red outline, it would just be an easy way to reference it. But I think one of the things that we try to do is look for ways to spend money. You talked about speakers, Jenny. There's so many ways that you can get speakers at no costs, looking at vendors that you have that just want to get face time with the company, looking at executives that will bring a draw that will get people to pay attention and listen. It's easy ways to get big names to come talk that you don't have to necessarily pay for.

Jennifer Kinney:

Definitely. And if you're a Living Security client, I do webinars for clients too, by the way. So just throw that out there. Okay, we're running out of time. We want to make sure we have time for some Q&A at the end. And so Charlotte, would you mind putting out the poll about if they're hybrid environment, if people are getting back into the office yet, I don't want to see what's going on with our people? Yeah, I want to know for your cybersecurity awareness month efforts this year, are you guys hybrid, virtual or in person only? I'm going to give this a few minutes so we can see here. Okay. Yeah, I didn't think we get a whole lot of people that were in person only, looks like only one so far. Looks like a pretty even split between virtual only and hybrid, which really fits into some of our audience questions about how do we engage the virtual audience. So why don't we spend a few minutes on that? We really need to get engagement up there, kind of like we were talking about at the very beginning.

Missy Bentzen:

Yeah. And I'm happy to jump in on that one first.

Jennifer Kinney:

Sure.

Missy Bentzen:

Of course in 2020, when we all became a remote workforce, we were forced into how do we become virtual? How do we get security awareness out there? As you're looking within, how can I do more? Living Security, fortunately came up with some nice virtual packages. Because we were with the in person escape rooms and they moved virtually with the escape rooms. That's obviously one key component to some engagement. With the virtual and now even the hybrid, it still is perfect.

Missy Bentzen:

One of the things that I have been saying throughout the COVID time period is I also think there's a silver lining here with COVID in terms of security awareness, that we now are forced to become a better program, to be more thoughtful and mindful of a larger workforce. So to Jacob's point earlier about not really realizing things with our field offices, the remote offices that aren't headquarter, how do you focus in on that? And prior to COVID, I had started a security awareness road show. So I was visiting field offices and able to bring security awareness to them. I was always a bit aware of the field offices not knowing or not feeling involved, but now, when we moved to a remote workforce, we all felt the same way. We all felt like that remote office, not as involved.

Missy Bentzen:

And gearing towards the hybrid environment, that's where you started to think about, what's going to make people listen? And that's where the focus on those home security tips, how are you able to work securely from home? How are you keeping your family safe and secure at home? Able to bring those tips in. And having some conversations about keeping your children safe online. Keeping your elder family members safe online. Because you have to go older and younger when you're thinking about cybersecurity and helping those that don't understand it as well. But the virtual-

Jennifer Kinney:

The more vulnerable parties in our lives. We're giving people valuable education to really help keep them them safe, their family safe, for everybody at home. Yeah, you're exactly right.

Missy Bentzen:

Definitely.

Jennifer Kinney:

Now, there was one, I have to say, I saw the cutest idea ever, because I know we are thinking more about sustainability when it comes to swag ideas and Tasha, my buddy Tasha Johnson Said, they're giving out reusable straws that say, "Reuse this straw, not your password." Even HR would be okay with that one, instead of raising some of the other stuff.

Missy Bentzen:

I love that.

Jennifer Kinney:

Anyway, yeah, that was awesome. Okay. A couple more things, I want everybody to have one little sound bite, everybody in the audience can have one little sound bite they can take away. If there's one piece of advice from each of you experts that they could write down and take away, what would it be? Anybody that wants to go first, anybody that's the most excited about their idea, please share.

Missy Bentzen:

I can go first if you want. Or Kattia, I saw you unmute, so go ahead.

Kattia Solano:

No, it's okay. You can run it too. So go first.

Missy Bentzen:

I put mine on a slide here just to make it easy.

Kattia Solano:

Oh, okay. Awesome.

Missy Bentzen:

These are some quick tips about relationship building, I think not only for CSAM itself, but for your overall program, how critical it is to have key partnerships and sustaining meaningful relationships at work. I broke it down into three critical areas that I think, the first and foremost is communication. Anytime you're starting an awareness program is building those relationships with anybody that sends communication. It's not just your employee communication team for the company wide, but maybe you have regional newsletters, there's a communication for that. Or there's department newsletters. If you have a brand team, making sure you're onboard with brand. So you're not going to have a boo boo later that you have to fix somehow because you didn't stay on par with brand.

Kattia Solano:

Been there, done that.

Missy Bentzen:

If you have employee belonging groups, making sure you're partnering with them, because as I was just noting, the keeping your family safe, whether it's children or your parents, you can partner with an employee group about if you have a families group.

Missy Bentzen:

And then another way to really get some communications out are those office coordinators. So those field offices, how they can help promote different activities and events that you're doing around security awareness month. And then the others, I know we're getting short on time, so I'll just highlight them briefly, but the key groups to partner with in understanding the different risks within your organization. And then the last are your key partners for successful training program, whether it's your compliance team, if you have a learning organization. And then also leadership, making sure you get leadership on board. I've been having these QBR sessions recently where I'm making leadership aware of those training completion rates and how many people complete training past the due date. I think we all struggle with on time completion and as the leaders are more aware of that, then they are able to help support you a little bit better in getting that on time completion. But I'll stop here so that way we can give Jacob and Kattia time too.

Jennifer Kinney:

Great sliding-

Missy Bentzen:

Thank you.

Jennifer Kinney:

... Really amazing points on relationship building.

Kattia Solano:

Yeah, definitely, I agree with Missy, one of the more important things when you're going to start planning the season is trying to making sure which is going to be the communication strategy, and which is going to be your stakeholders. But also during all the year, we communicate with our audiences. And with those information numbers, we'll be able to see the open rates, we'll be able to see in which time we need to send those communications. Also, we can see with the different regional teams and the brand and the corporate, we will be able to see that the communications not only needs to be an email, we can use other channels that the people are communicating every single time. We move in right now and people is chatting every single time. Right? So that Google Chat is going to be another channel of communications.

Kattia Solano:

And also the page that we are going to also write. We have a single page for each language, French, Spanish, and English. When you design the campaign, needs to be in those languages or the key languages that you are going to run in your company. And also it's really important between the balance in the virtual and also in the local, that when you are going to do those activities... Our big hit last year, we will be able to bring the speakers in their own languages. So the people from the Spanish, the Spanish speakers, we will have it. And right now we will be able to duplicate the engagement right now numbers last year, because we will be able to create activities in those regions, in their languages and making sure everything sounds like in their culture and in the way that they will do. That is really key.

Kattia Solano:

Working together with the facilitators, the security regional teams is going to give you the bright idea, which is the things that you need to bring virtually and locally so you can make sure all this effort is going to work for everybody globally? That is really important.

Jennifer Kinney:

Gosh, that's amazing. Yes. Thank you. I actually, haven't heard of getting speakers in different languages for cybersecurity awareness month. That is a great takeaway. And how about to you, Jacob?

Jacob Revord:

I'd go back to my comment earlier, what's the story you're trying to tell? Who are you trying to reach? And what is the meaningful takeaway that you want them to leave with? If we're looking at getting our information to people during cybersecurity awareness month, and that's the first time they've heard of us, then we've already missed the mark. What's the specific story that I want them to take away. Is it that what they're doing in their day to day life at home has an impact on their work? Is it the information that I'm giving them can protect, not just their work life, but their family life? And relating that story to them throughout the year. So carrying the messaging that we put out during October and building on it and integrating with teams so that information, it just continues to grow. Whereas if it's a one time effort, then next October, you're looking at, "Well, what do I do again?" If you continued that operation throughout the year, it's just a seamless process. And after you get used to it, two to three years down the road, you're just continuing your program. You're not restarting everything.

Jennifer Kinney:

Exactly. October should not be the only time people are hearing from us. Yeah. I wanted to talk to you quickly about the community. If you have that poll, Charlotte, with the community, we are always carrying on these kinds of conversations in the Living Security community. I know a lot of you that are here are part of the community, including Missy, you're in there quite often, and then Tasha Johnson with the straw idea, she's one of my ambassadors. So thank you so much. But yes, if you say yes, sign me up here, if you're not already a member, then I will add you to the community if we have your business address. If we don't, let's see, Charlotte, could you just drop in the link to the community in the chat so that you can join that way as well?

Jennifer Kinney:

But we have an ongoing conversation about swag ideas, cybersecurity awareness month, how to engage leaders, how to influence your peers, all kinds of great stuff. And this is curated only for cybersecurity awareness professionals like us, trying to move the needle on human risk and really help change behavior. Now, okay, we'll sign you up. Yeah. I want everybody here in the community. We can all learn from each other, collaborate and inspire each other.

Jennifer Kinney:

I did want to tell you, just while we're on the topic, all of our panelists have alluded to some of the different offerings that we have. So we have started, I guess we started it a couple years ago in 2020, right when everything was shut down and people needed something to do to engage their virtual employees. Charlotte, if you wouldn't mind, gosh, I'm asking a lot of you, could you bring up that slide show so that I can tell people about our cybersecurity awareness month offerings that we have?

Jennifer Kinney:

Thank you for saying the community is so good. I appreciate it. And thank you, Dave, for putting that link in there. Yeah, we've been talking about trying to engage people virtually and how do we do that across geographies? Our theme this year is be secure everywhere, because finally we do have some people, I saw about 50% of you do have people who are going back in the office. We have a lot of people at home. We have a lot of people traveling. This guy's working from a mountaintop, you can basically work from anywhere these days. So we do, as we've been mentioning, want security to be part of your DNA basically, no matter where you are. And I know you want that for yourselves and for your employees as well. So if you are not already a client of ours and want some more information about this, you can reach out to us on our website. And I think we have a link for you there.

Jennifer Kinney:

But essentially you can choose a track or a topic where we have the four most popular ones for our audiences. The number one is social engineering and phishing because it's always changing. There's new threats all the time, smishing, phishing, et cetera. That's our most popular track, but we also have passwords and secure authentication and then a couple other ones. And then this year we have a very cool bonus track, and this is a package of five modules that cover your digital identity, your personal digital identity. And in this one, we're talking about a little bit more future, more present things, not just phishing, but NFTs, how to protect your crypto wallets, explaining blockchain, explaining deep fakes, et cetera. So it's really fun. And this is called The Cyber Race and it looks just like the amazing race. It's very interactive and energetic and you learn a lot in a fun way.

Jennifer Kinney:

We were talking about speakers, you can choose some of our featured speakers. Shawnee Delaney is incredible and she's just one of them. And we also have a ton of pre-written content. Reason we do this, we call these things a campaign in a box that contain emails, chat messages, blog articles, and then training recommendations that align with the topics that we've put together from our content team. I like to write, I'm a writer, but sometimes I'll just sit there and stare at a blank page. Where with this, you can just take one of our pre-written emails and then customize it. You don't have to ever look at a blank page. You can just say, "Oh, okay, this is perfect. I'll just send this out, copy paste." You can take all the credit for it. Please do, we want to make you look good? Or you can customize it with different contacts, et cetera. You would get a campaign in a box to align with the track that you choose. And then also that bonus track with, again, Bitcoin, deep fakes, all about protecting your digital identity. These are things that your employees are hearing about, but may be embarrassed to ask about because they don't know much about it, or if they do, they could know just enough to be dangerous. So it gives you some really great information there.

Jennifer Kinney:

And then if you wouldn't mind just advancing one slide. Like we've been talking about, we want to encourage everybody to share the knowledge with their families. We do have two family friendly options to choose from. One is a mentalist. And then one is an online trivia game. They're both super fun and we have a lot more information including trailers that we can show you if you're trying to choose.

Jennifer Kinney:

And then we are also talking about celebrating success with digital assets. So we'll give you some digital assets. We've got the certificate and the background, like we're all using today, some email footers and some other good stuff. If you need help, I think we're going to be running this for 15 more days. You have 15 more days to sign up, so if we can try to get you started before October 3rd. We would love to help you out, to help you do the heavy lifting and have a successful October.

Jennifer Kinney:

I do want to get back to, I think there were just a couple of questions in the Q&A that we may have time for. And there was one. Let's see. I like this one, we have a couple people asking, David and Scott, "How do you measure success? And what has worked in the past?" This is a lot to unpack in a minute, so we may need to visit this in the community or on LinkedIn or something like that. But how about-

Jacob Revord:

Jenny, I was going to say, success is a much broader measurement.

Jennifer Kinney:

We could spend the whole hour on how to measure success.

Jacob Revord:

You could literally take an hour talking about metrics and recording and data and never scratch the surface. But I think the biggest takeaway from cybersecurity awareness month for your metrics, for your measurements of success, is did the needle change? Do you see any meaningful impact in your annual metrics because of October? And if so, can you pinpoint where that was? Did you see that you did a topic on ransomware and people were cognizant of ransomware three or four months later? Did you do awareness on reporting phishing? Did people start reporting more phishing?

Jennifer Kinney:

Absolutely. Yeah.

Jacob Revord:

So where you can track those measurable and those meaningful changes, allows you to pinpoint what's working well. And then also understand what's not working so well and adapt that for your program throughout the year and then for the next October. But I think you can't look at just, how do you measure success within October? It's how does October impact the success of our program over a year, a two year, a three year span?

Jennifer Kinney:

Jacob, I cannot think of a better way to end this webinar. That was absolutely perfect. Thank you so much. And if you guys want to talk metrics, we have a human risk management platform now that is all about metrics. We would be happy to talk to you about that as well. But Missy, Jacob, Kattia, thank you so much for sharing your experience, your expertise with us. I'm sure everybody got something, either from one of us or from the chat and the audience, which was also really valuable as well. Thank you so much. And again, join the community and we can continue the conversation. And I hope everybody has an extremely successful October and you educate all your people.

Kattia Solano:

Bye. Thank you very much.

Jacob Revord:

Thank you.

Missy Bentzen:

Thank you, everyone.

Jennifer Kinney:

Okay. Thank you so much.