Nobody wants to be the weak security link in the office. Unfortunately, not many people actually think about it. While their intentions are often in the right place, their mind probably isn't.
The question isn't necessarily how to teach your users secure practices, but how to get them excited about it. A tall order, no doubt. Nevertheless, here are a couple of tips to get the office motivated—and maybe even take pride in their ability to keep the bad guys out.
Nothing beats a little friendly competition
Everyone's got at least one competitive bone in their body. It's true. Search long enough, and you'll find that even the most passive people get fired up about something. According to a recent Forbes article, millennials may be even more motivated than other age groups by a little harmless competition. Sometimes, it's a specific person they're competitive with, or a unique talent brings out their gaming spirit. Regardless, competition is a common trait you can leverage to spark your user's motivation to be secure.
As competitive as Flonkerton and a three-legged race can be, you'll want to find some security-focused activities for obvious reasons. To do that, thinking like a kid give you ideas that are fun, competitive, and security-centered. Remember those days of capture the flag on the blacktop? Try dividing the office into two teams and hiding a benign file—the flag—on one person's computer for each team. The first team to collect the other team's flag wins.
This'll help highlight the need to protect against social engineering, as well as general workspace security. Better yet, up the stakes by bringing in a white-hat hacker to be the bad guy for a day, and have your office work as a team to protect the flag.
Host a phishing tournament
Another great way to get the whole office more conscious about their security practices and eliminate the weak security link is to continuously test them. No, not with pop quizzes or boring monthly training seminars, but with a more subtle form of competition.
This time the contest is a little more passive. Let your users know ahead of time that you'll be sending out periodic phishing attempts. This can be done over a day, a week, or even a month-long campaign, and the actual phishing attempts can be carried out through email, text message, IM, or carrier pigeon. Whatever fits your fancy and makes the most sense for your environment.
The rules are simple and can be approached in a few different ways. You can "punish" those that fall victim to your maniacal plans or reward those that resist temptation—even a combination of the two can work. Have those who succumb chip in for donuts on Friday, or offer up gift cards to the quickest ones to spot the attempt. Either way, you're incentivizing vigilant security behavior, which is the point of the exercise.
While these two methods for motivating a culture of security in your office are hardly exhaustive, they serve their purpose well—to highlight the importance of not only exposing your users to healthy security practices, but getting them to actively practice them, as well.