Teach workers the indicators of a compromise and have them report potential incidents. For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then.
5. It's simple
Many people I work with assume that creating an awareness program is simple. If your only goal is compliance, then yes, awareness programs are simple. But if you want to effectively reduce risk by changing human behavior, you need to have a plan. Specifically, you need to identify who you are targeting in your program, what changes in behavior reduce the greatest risks to your organization, and how you will engage and communicate those changes in behaviors.
One of the most common obstacles to effective awareness programs that I see at companies is that they do not know where to begin. You can find a complete set of free planning resources developed by the community, for the community, on the SANS Securing the Human website, which includes a poster that documents each step to take and provides all the templates and checklists you need to build your program.
I'm a huge fan of awareness, and I have seen the tremendous impact it can have. However, until we as a community start securing the Human OS, the bad guys will continue to have it easy. Technology alone can only go so far.
Sign up for CIO Asia eNewsletters.