"We like to run contests because we know users don't just want to learn," says Brian Osterman, risk analyst. "We try to gamify it and increase the competition so it's actually fun."
5. The Simple 'Thank You'
At safety science company UL LLC in Northbrook, Ill., there are no cash rewards for security-minded behavior. But when an employee spots a very high-risk phishing scam and are one of the first people to respond, the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. "That goes a long way," says Steve Wenc, senior vice president and chief risk officer.
UL developed a behavior-focused security education program designed to help its nearly 11,000 employees recognize phishing messages and quickly report them to UL's security team. The program has created a crowd-sourced "human firewall." On a daily basis, UL employees are spotting new attacks, reporting them -- often within minutes -- and enabling UL's security team to quickly take steps to block the attacks, alert other users and remediate infections.
Since the project's inception, incident reports have increased from 10 a month to over 1,000, and UL reports a 19% decrease in virus-related incidents.
"We appreciate what they're doing," Wenc says. "When they spot [a scam] that has impact on the company, we tell them, 'You saved your colleagues and our customers from an attack.'"
Sign up for CIO Asia eNewsletters.