- Employee awareness
- 8 min read
The Project Management Triangle states you can only achieve two of the three basic project axes – quality, budget and schedule. For example, a low-quality project can be completed quickly and within budget.
Similarly, sacrificing (increasing) budget means you can complete on time and to required quality.
But what if you are charged with project responsibility and only given two axes - quality and schedule to work with? What if you have little or no budget?
In an ideal information security world, all organisations would spend significant time and budget doing baseline research, developing a strategy and deploying a thorough and bespoke awareness training programme, based on learning, communication and engagement. Now of course, the reality is that not all organisations can afford this. Money is not infinite, nor even plentiful for some data-sensitive organisations. In this case, how do you best utilise a small budget for information security awareness?
Let’s look at this through the prism of how decision makers — who perhaps work for a charity or small organisation and/or have minimal buying power — empowers themselves to deliver a robust information security awareness programme on a shoestring.
With the best will in the world, you are not going to be able to do everything. So, first assess the lie of your information security land. Are you a national operation with a central office and local branches staffed by low-paid employees and/or volunteers? Or regional with a similar, but smaller set-up? Or local with few, if any branches? How much data does your organisation deal with and what type — commercial, client, sensitive (as defined by GDPR)?
Stick to the basics to help keep the cost down. Provide information security awareness training only in areas that have most relevance to your operation. For example, if you are a charity with many employees located in high street shops, you may want to concentrate on:
If you are a B2B operation working with prospect/client commercial data, maybe add areas such as phishing and using email and the internet securely to the list above.
In both examples, subject areas such as working away from the office and information security for IT developers are probably not relevant and so, while nice to have, are not priorities.
While there may not be such a thing as a free lunch, low-cost online information security awareness training does exist. This channel is surprisingly cost-effective and greatly and demonstrably improves the knowledge of those who take the courses. As well as the accepted benefit of people being able to learn at a convenient time and at their own pace, another major plus point is that with modular online solutions, you can choose training for only the most critical areas of your business (following your ‘take only what you need’ strategy).
Check out The Security Company’s off-the-shelf eLearning solution modules for some low-cost, easy-to-implement options.
When information security concerns move governments, police and other authorities to provide free guidance, advice, materials and training, you know it’s serious. Taking advantage of this official form of help is a no-brainer when putting together your low to no cost information security awareness solution.
The National Cyber Security Centre — part of GCHQ — offers advice, guidance and articles across a comprehensive range of subjects.
The Metropolitan Police offers great practical advice on how to avoid cybercrime.
The Department for Digital, Culture, Media and Sport – a UK Government department – provides free online training for businesses as well as a host of other useful help and advice.
To complement the training you provide, there are free materials available to reinforce the learning. These include posters, infographics, screensavers, videos, and more. Googling ‘free information security awareness training materials’ will show where to find useful material FOC. For example, this YouTube video powerfully shows the need to maintain your social privacy settings: How private is your personal information?
When it comes to delivering an impactful information security awareness programme on a shoestring, there are three principal areas to consider:
Use online learning as your programme platform — highly recommended for cost-effectiveness
Maximise the use of free guidance and materials – Google is your best friend here ("other search engines are available")
If you would like more information about how The Security Company can help your organisation to enable employee behaviour change with the goal of improving your security culture or how we can run behavioural research to pinpoint gaps in your security culture, contact us here.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51