Opportunistic security awareness

I just came across a little mobile-phone-shaped phone security awareness reminder card thing with a fairly direct in-yer-face message along the lines of "You left your phone unattended. I could have stolen it. Instead I simply accessed all the sensitive information on it because it was unlocked and unencrypted ..." The idea, I presume, is for someone (an information security/awareness professional, security guard etc.) to wander around looking for mobile phones left unattended/unguarded in public places, such as cafes or on public transport, leaving the card with the phone.

Personally, while it is tempting to go down that line, I'd be very wary of adopting such sinister overtones in an awareness message. The shock value might work for some recipients but it's basically a threat, a form of coercion with distinctly negative connotations about phone thieves AND careless phone owners, not to mention the security people who printed and left the card. Such negativism and nastiness could cause collateral damage to the security awareness program.

However, a bit of lateral thinking can easily turn the idea into something far more positive.

Get phone security reminder cards printed to a size and shape that people can slip into their mobile phone cases or wallets, and hand them out at awareness events, staff meetings, management meetings and so forth. Glossy labels would work for those who prefer ther phones naked. It's not hard to come up with suitable succinct, motivational messages: 'Protect personal information!  Use a PIN code, use encryption and remote wipe, don't trust caller ID, be discreet when using the phone in public, keep the security software updated, take backups of anything important, contact 555-SECURITY in case of loss or other concerns' ... that sort of thing. Our customers receive messages like those each month in the 'awareness activities' paper provided in the module, along with other creative security awareness suggestions. Awareness is what we do, after all.

If you have a budget for information security awareness*, you could even get mobile phone cases pre-printed with the awareness messages, preferably discreetly on the inside. Good quality phone cases would be sought-after corporate knicknacks, making them attractive prizes for awareness challenges, events, quizzes and competitions. Reward those people who show an interest in information security, and make an effort to be secure.  Be nice to them, support and encourage them. Send out positive vibes about the value of security.

If it works (which implies gathering and analyzing awareness metrics, by the way), it's not hard to extend the approach to pre-printed messages on corporate laptop cases, USB sticks, briefcases/portfolios, wallets, mouse mats, mobile mice, paper pads, sticky note stacks and so on. Just cast your eye over the average desk or cubicle to spot a plethora of places for those motivational messages. Don't forget the screens too: most IT systems can be configured with custom screensavers, pre- and post-login messages, error and warning messages, app screens etc. making them excellent choices for awareness purposes. Work with marketing to brand them with corporate logo if you like, plus health and safety, HR, compliance, risk and other functions who share our interest in awareness ... but please, please make the awareness content creative and positive.

Think 'inspiration' and 'motivation' not 'coercion'.


* PS  If you don't have the budget, I guess you have bigger fish to fry than unattended phones!  I'll expand on that depressingly common situation another time but for now take a look at security awareness on a shoestring budget.