Ongoing activities: Reinforce and Reward

Ongoing activities

In the first 8 weeks your communication activities and user activations (as outlined in the article Post Launch / After First 8 Weeks: Ongoing activities - Reinforce and Reward) have allowed you to activate many of your employees to participate in the training. Now that your employees have gotten more used to the training, it is time to plan your ongoing communication activities around phishing security awareness.

Hoxhunt has developed a few easy-to-share tools that you can use for ongoing communication practices around interesting updates from the cybersecurity awareness space to build and enhance your awareness culture and engagement. These tools work well in further motivating your users to start the training and stay active in the training. 

You can find all the materials referred to below in Sharepoint

 

These tools include:

  1. Best practices for recognizing and rewarding employees

  2. Hoxhunt Off The Hook - Threat Stories

  3. Cybersecurity Newsletter (Template)

  4. Hoxhunt Challenges
  5. Your own Awareness Workshop

 

Suggested timeline for ongoing activities

Screenshot_2022-01-05_at_15.28.10.png

After you have finalized the general communications and user activations as outlined in our Post-Launch / First 8 Weeks: Encourage your employees to participate in the training article, it’s good to start mapping out your ongoing communication activities.
 
Hoxhunt's engaging training runs on a quarterly basis, which makes quarterly recognition and rewarding the most appropriate. Building your communication strategy around a quarterly cycle is recommended for the most effective reach and security culture development, but you can build your own communication and recognition plan to fit with your resources and channels. 

Your first full quarter after your first 8 weeks is a great place to start setting some core communication guidelines in place. Consistency is a cornerstone of any successful communication practices, and therefore it's important in building and improving an organizational security culture. See the above recommended communication timeline and plan for inspiration, and read further to understand more about the methods that can be used.

Feel free to pick and choose the content that you think your employees would be interested in and build your own ongoing communication activity that fits your organization’s culture.

 

1. Best practices for recognizing and rewarding employees

What does user recognition and rewarding mean? Recognition means giving praise to user groups (employees) about their training engagement (e.g. on-boarding, star count), whereas rewarding means including a reward with the recognition.

The reason we at Hoxhunt separate between the two, is that we have customers where rewarding practices are well established and widely used in a wide array of use cases, and customers where individual rewarding is not a part of their organizational culture. Whatever your organizational culture may be, you can still give praise to your employees for making a difference and encourage them to actively participate in the training and keep on reporting suspicious emails, either with or without rewarding practices. This will embrace the culture development as the main goal is not only to make your employees to understand the challenge of security but also for them to actively participate in protecting your organization from cyberattacks.

Implementing some type of recognition or rewarding practices lets the users know that their contribution has an impact on building security awareness in your organization, and that you are grateful for it. All positive updates and announcements addressing successful user groups or individuals to showcase a positive change in the overall cybersecurity awareness within an organization is an opportunity for recognition or rewarding. 

 

Why is it important to recognize or reward employees?

In general, recognition encourages users, teams and locations to stay engaged and active throughout the training. Recognition strengthens a sense of community and drives healthy competition which in the long-term, together with the Hoxhunt training, can strengthen a positive cybersecurity culture change. Including the additional encouragement of rewarding also strengthens the perception that there is something in it for the employees, beyond building a positive cybersecurity culture.

 

When should you recognize or reward users?

Hoxhunt's gamified training runs on a quarterly basis, which makes quarterly recognition and rewarding the most appropriate. That said, you may also use a bi-quarterly, once a year, or another cadence of your choice to recognize or reward your employees. 

In terms of if you would like to recognize or reward employees, it will come down to your company culture. If rewarding does not feel right for your culture, you can also recognize users publicly for their great effort.

 

Who should you recognize or reward?

You can recognize or reward anyone taking part in the Hoxhunt training!
That said, when your employees are not anonymous per default, Data Inspector in Hoxhunt Insights allows you to determine TOP employees based on different metrics that you can use to reward your employees (read more on how to pull these reports in our knowledge base):

  • "TOP stars collected" (during the training)

  • "TOP suspicious emails reported" (outside the training)

  • “Raffle” choose among all users active in the training to promote activity over having to be the best in the training

Organizations that have all users anonymous per default, can recognize user groups based on available organizational information, for example based on department and country location, as user specific recognition is not possible due to employee profiles being anonymous. Ask more about quarterly top country, department or site reporting from your Customer Success Manager or support@hoxhunt.com.

 

If we decide to reward our employees, what should the reward be?

The reward should be something that fits in with your organization's culture, but most importantly the reward should be something that your employees get excited about. It could be an event or restaurant voucher, gym membership, food delivery voucher, movie ticket, or any other recreational gift that your employee would appreciate. Some companies give out bottles of sparkling wine and some give the top performing employees an additional paid day off.

This is where you get to be creative with choosing a reward that works for your organization!

 

Does Hoxhunt provide any rewards?

Hoxhunt provides a certificate template which you can use when rewarding users, you can find it in our Post-Launch Communication Materials in Sharepoint. Hoxhunt also has stickers and other merchandise that can be shared to users. Ask more about it form your dedicated Customer Success Manager or through support@hoxhunt.com.

 

What is a rewarding ceremony?

Rewarding and announcing your winners in a ceremony brings a little extra excitement to your cyber security awareness training, and that is why we highly recommend it!

The ceremony can be as simple as a 5 minute slot in your company All Hands or part of a weekly meeting. Ask you Customer Success Manager for more information.

 

Does Hoxhunt have any material to share?

Yes, please take a look at our Post-Launch: Communications materials (link in the beginning of this article).

 

2. Share Hoxhunt Off The Hook - Threat Stories

The Hoxhunt content team keeps a keen eye on what we are seeing “out in the wild” - be that of topics discussed in the media or within real reported phishing emails. Our team curates blog posts called Off the Hook -Threat Stories where they tell the tales of trending or "never seen before" phishing campaigns, tricks, and strategies cyber criminals are using.

You can subscribe to the Hoxhunt blog or just bookmark the Off the Hook - Threat Stories Archive to keep up with the latest threat stories. You can then share the content with your employees and/or IT and security teams in your preferred channel such as internal social media (Slack, Yammer, Teams, Hangouts, etc), email or highlight a new threat story in a company all hands.

The Off the Hook - Threat Stories are an effective and fun way to keep cybersecurity awareness topics on top of your employees minds. They give context to the real challenge and threat of phishing through examples, which helps in engaging users for security topics and reporting, and ultimately improves your organization's security culture.

 

3. Cybersecurity Newsletter (Template)

The overall cybersecurity awareness culture is reinforced through frequent reminders of why it is important for your employees to participate in the training and report suspicious emails. Therefore for the ongoing communication, it's recommended to implement a Cybersecurity Newsletter to help communicate different security topics to your employees along with Hoxhunt training results. 

 

The newsletter can include:

  • Statistics from the Hoxhunt awareness training: This allows you to give regular feedback and evidence to everyone that they are a valuable link in keeping the organization secure by reporting suspicious emails and participating in the training. Users tend to be interested not only how their own training is going, but also how their organization is performing in general. Some key CxO report data that could be shared:

    • On-boarding rate (general and country level) - this to engage users to start who haven't already seeing that majority of their colleagues already have
    • Organization training statistics (success, fail, miss) - this can work as a tool to encourage users to report more and miss less
    • Microtraining statistics - this to promote microtraining moments as part of the training and collecting stars.
  • Statistics on reported suspicious emails (phishing and/or spam): This allows you to give context of a greater challenge of phishing by reporting the reported threats numbers, as some employees rarely see phishing emails due to their less risky job role. That still doesn't mean that they won't ever receive a threat, which is why they need to understand the challenge to be able to fully motivate them. Additionally, sharing real threat numbers highlight how the active reporting of suspicious emails is helping to strengthen your human firewall and keep the organization and your employees safe from external threats.

  • Examples of real phishing campaigns that have targeted your organization: This allows you to raise awareness about phishing through real examples of phishing campaigns that have been targeting your organiztion and employees. You can for example highlight the volume, by mentioning that your employees reported 400 phishing emails in this campaign, which your cybersecurity team then analyzed and took steps to prevent the cyber criminals from targeting your organization further with this specific phishing campaign. Once again, this brings context and builds importance to taking part in the training.

  • Recognizing and rewarding users: Highlight employees who have performed well in the Hoxhunt awareness training or who have done well in reporting suspicious emails. Recognizing employees for doing well with reporting either simulations or suspicious emails gives them additional motivational boost to continue with their excellent actions, and it motivates others to do better too, as other employees see that the participation is appreciated.

  • Include a Hoxhunt Off the Hook - Threat Story: Highlight currently ongoing phishing campaigns out in the wild. Not only does this increase the overall cybersecurity awareness around phishing in your organization, help bringing context to the importance of security awareness, but also showcases the types of real phishing emails your employees can look out for in their inboxes.

Hoxhunt Challenges:

Hoxhunt Challenges are a fun way to increase employee cybersecurity awareness in a fun and engaging mini game setting. You can make a security awareness calendar and promote different security awareness topics one at a time in your internal communication. Linking the relevant Hoxhunt Challenge to each topic is a way to learn more and test your skills in a fun setting. 

 

Your own Awareness Workshop:

Awareness talks always have a great impact due to their high engagement and varied content. It is a direct way to raise awareness and capture the attention of employees. So, if you have the opportunity, include content about Hoxhunt in your internal event or cybersecurity workshop.

 

What Hoxhunt topics can you include?

  • Training statistics so far
  • The most failed simulations and how they could have been detected
  • The impact of clicking on real phishing scams
  • Why it is important to report and how
  • How to detect a fraudulent email
  • Why Hoxhunt is so awesome

Questions or feedback?

If you have any feedback or questions about our post-launch communication templates and visual elements, please reach out to your Customer Success Manager or support@hoxhunt.com

 

Was this article helpful?

3 out of 3 found this helpful

Have more questions? Submit a request