Keep reading
This is some text inside of a div block
Cybersecurity Awareness Month feels in some ways like New Year’s resolutions. It comes around once per year, and it brings a fresh sense of urgency about committing to positive behaviors, and… about a month later, most of those have fallen by the wayside to be picked up next October.
Cybersecurity resolutions and New Year’s resolutions fail for many of the same reasons. Namely, what drives many to make them are fear, shame, and unrealistic expectations for ourselves in the long-term. It’s a recipe for both failure and low morale.
But there are real ways to guide behavior toward positive change, and we’re proud to be on the forefront of effectively nudging workplace teams into higher data security awareness and better behaviors for the long term. Here’s a selection of principles behind our approach to creative cybersecurity campaigns that make a real difference.
Cybersecurity is too often viewed as a “tech” problem, and too much faith is put in tech solutions. Cybersecurity teams are amazing and put in hard work to stay ahead of the latest threats and protect companies behind the scenes. But we also hear exasperation from cybersecurity teams time and time again. With all of the sophisticated technological safeguards and emails sent, workforces at scale are dangerously unaware of how their choices create vulnerabilities or of the small things they can do that make a huge difference.
See: using MFA, reporting suspected phishing, and setting software to update automatically. Cybersecurity professionals are heroes. But more than 60% of cyber breaches are caused by human error. Tech protections alone aren’t enough.
Naturally, communications around cybersecurity usually hinge on fear. The logic seems obvious. If tech and cybersecurity professionals can’t do all of the work themselves, trying to educate workers about the threat and the consequences would seem to be the answer. If we just know what’s at stake, we’ll make good choices, right?
Unfortunately, it’s been proven many times over that it doesn’t work that way—in cybersecurity and many other important but mundane good behaviors. Using negative emotions like fear or shame can be counterproductive. They have their place, but being hit with fear-based messaging over and over doesn’t work for multiple reasons2:
Instead, at Sans Serif, we push and pull levers across emotional motivators, and we emphasize the positive. Team-spirit, healthy competition, protecting others. A holistic approach to what motivates teams and messaging accordingly makes all the difference when it comes to breaking through information overload and shifting behavior.
I often reference a Harvard Business Review article titled “Marketing the Brand Inside.” Thoughtful, well-resourced, and creative marketing efforts can be just as important internally—for your workforce—as they are externally for customers. Cybersecurity is a critical case in point.
When it comes to generating revenue, money and time are poured into marketing to target prospects and nudge behavior. But when it comes to the huge risk of loss from cybercrime, companies rarely do the same. Resources are put into specialists and specialized cybersecurity protections, but team-wide behavior—which responds to high-quality marketing efforts—is often ignored.
Flashy, clever, glossy, authentic—it all depends on your brand and your team. But whatever the tone and voice may be, cybersecurity campaigns deserve a full-court press as strategic, targeted, and attention-getting as a go-to-market rollout. Yet another dry email or unassuming newsletter won’t cut it.
If a well-produced marketing campaign is the container, what’s the content? We’ve done a variety of campaigns targeting cybersecurity behaviors, tailored to the audience. Here are a few:
There’s a reason video games are one of the world’s leading forms of entertainment. But the appeal goes well beyond gaming. Goal-driven, engaging, and story-powered, gamification through apps and digital platforms has been applied to athletic training, weight loss, meditation, language learning—you name it. Paired with strategies from the modern marketing classic Hooked, gamification becomes a powerful tool to capture attention and build real skills. It’s a smart way to keep people engaged while leveling up their cybersecurity habits through hands-on practice.
We’ve developed story-driven, gamified cybersecurity campaigns that capture attention and integrate right into the tools workers already use in a digital-first world, like Microsoft SharePoint, Microsoft Viva Engage, and Slack. Automation and third-party plugins make the possibilities endless.
Lower-hanging fruit can require less grand of an intervention but still produce important results. As social media and search-based marketing have shown, something as simple as a reminder at just the right time can convert.
Consider phishing reporting as an example. Most email clients today include a place to report spam or suspicious emails. But they’re easy to miss, and workers usually don’t know just how important they are. Cybersecurity teams often use reporting statistics as a benchmark for awareness and the effectiveness of their efforts.
A simple yet effective intervention? Attention-grabbing banners in a campaign that raise the profile of the button itself and alleviate anxiety or a feeling of futility about reporting. Like gamification, a focused and targeted visual-verbal branded campaign can be deployed across modern digital collaboration tools and intranets. When the behavior you want to shift is clearly defined, this kind of owned-media approach—amplified by smart, standout creative—can break through the corporate noise and make a real impact.
Creating “defaults” is one of the gold standards of psychology and behavior change. Convincing people to make a choice that benefits them, like turning on MFA, can be extremely difficult if they believe a lot of effort might be involved (see complexity above) or the benefits seem distant (see denial above). But once people have done it, or been defaulted into it, they’re unlikely to stop. That’s because, after an initial effort, the benefits continue automatically, and it takes more effort to opt out than to stick with the new status quo. People are extremely unlikely to go out of their way to undo a positive behavior that requires no further effort.
Similar to gamification above—and because defaulting behaviors can be an element of gamification—the key is to create a campaign that pulls people through the steps to better choices and propels them beyond the problems introduced by fear. Make it fun. Make it simple. Make it a matter of responsibility to your neighbor or your family. Target it to your audience and what motivates them. The key is to get them over the hurdle—remember, pairing strong passwords with MFA reduces chances of being compromised by 99%. It only seems scary until you do it. A seriously creative marketing campaign can make that happen.
All of the above strategies are effective but time-limited. Cyber threats are constantly evolving. What works today may not work tomorrow. Like the holy grail of marketing to customers, the holy grail of an internal cybersecurity marketing campaign is to wrap up your audience’s identity with your cybersecurity brand.
To future-proof teams’ cybersecurity behaviors, extended enablement campaigns can help shape perceptions and identity, but they must be consistent and compelling. Transforming a workforce from blissfully unaware of cyberthreats into cybersecurity champions—like turning customers into brand champions—takes time, consistency, and strong, strategic visual-verbal storytelling. It’s a destination that psychology attests to again and again. It’s all about what really motivates people, how they identify themselves, and the norms of their group.
In the long run (thinking of that New Year’s resolution phenomenon again), many cybersecurity behavior efforts fall short because they don’t leverage the principles that psychology—and, for that matter, marketing—know are the keys to success. We know how effective and worthwhile that kind of investment can be because we’ve helped make it happen with some of our longest-standing clients.
We have the expertise and skills to start small or go big on cybersecurity. We proudly consider ourselves at the forefront of the field of cybersecurity campaigning and behavior change. So don’t be afraid to reach out. We love to chat cybersecurity and how we can empower your team to be cybersecurity champions.
