NorthGRC Blog | GRC, compliance and cybersecurity

How to make compliance interesting. A guide to awareness campaigns

Written by Lone Forland | Jun 9, 2015 2:15:00 AM

Once you have read my article, you will have a good idea of how to approach your compliance awareness campaign. You will get concrete advice on choosing topics, forming alliances, and measuring the effectiveness of your campaign.

 

Compliance is hardly known for being the world's most interesting topic. In the eyes of many, it is time-consuming, limiting, and boring. 

 

A run-down car can get purple fringe tail lights, 30-inch fins, and a Palomino dashboard - and become Greased Lightnin'. Similarly, you can give compliance a makeover in order to make the topic more accessible, relevant, and exciting.

This is what you do:

  • Get the support of the management
  • Choose the right topics
  • Meet people where they are 

The support of management

 

You must first and foremost ensure the involvement of the management. There are two reasons for this: 

 

For one thing, the employees should hear from the management why compliance is important. The message then carries more weight.

 

For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need if you make it clear to the management why you need a compliance awareness campaign. If a compliance audit has resulted in findings and recommendations or if you need to follow ISO 27001/2, NIS2, or any other standards, you will have a compelling argument.

 

Awareness is a requirement under ISO 27001 and ISO 27002, so there is no way around it. A focus on compliance can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.

 

Moreover, awareness is about communication. If this is not your strong suit, you should become good friends with your communications or marketing department, if you have one in the company. They will be able to help you contact us in a language the employees understand.

 

Want to move beyond checklists and build a real security culture?

 

Most organisations treat security awareness as a one-time exercise. This post looks at how to make compliance a living part of your culture — not just a box you tick once a year.

 

Read: From Static Checklists to Resilient Cultures — The New GRC Frontier →

 

Choose the right topics

 

With the backing of your new allies, you should now determine the areas your awareness campaign should focus on. There are many topics to choose from, some heavier than others, and unnecessary information needs to be removed. 

Consider the problems you have experienced due to user ignorance. A few examples may be:

  • Guests to the company are not registered when they arrive, and they walk around without access cards.
  • Documents with confidential information are lying around in an unlocked room.
  • Sensitive personal information is not sent through secure email (encrypted).

If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and what they are unsure of. You can also consider whether you recently began using new systems or performing tasks in a new way. Have the employees become familiar with this, or are there many mistakes?

 

You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must ensure we use simple, powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often. 

 

Does your awareness training actually change behaviour?

 

Completion rates look great on paper — but our Nordic survey shows 25% of employees say annual training hasn't changed their behaviour at all. Find out why, and what to do instead.

 

Read: Why 95% Training Completion Isn't the Same as 95% Security →

 

Meet people where they are

 

Now you need to go out and meet people where they are. The employees sit at their computers, eat in the cafeteria, and attend Friday morning meetings. This is where you should meet them. One way to do this is by means of:

  • Happenings - Little funny things that get people talking. This can involve small figures or other items placed on employees’ tables, or handing out chocolate bars in exchange for their agreeing never to share their passwords with anyone. The possibilities are limited only by your imagination, and it does not even have to be especially expensive.
  • Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
  • Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
  • Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why compliance is important.
  • Morning meetings - If everyone is assembled for a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
  • Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.

An employee awareness quiz can also demonstrate to management that your awareness campaign has had an impact on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas where your employees need more training.

 

So, can you make compliance interesting? You can at least go a long way toward making it accessible, relevant, and engaging.

 

Awareness Is More Effective When It Is Part of Your GRC Programme

 

Many tools can help you deliver awareness training. The challenge is often proving that awareness activities align with your compliance programme and can be documented during audits.

 

With NorthGRC, awareness is integrated directly into your Governance, Risk, and Compliance framework. You can create your own awareness campaigns and quizzes, monitor participation and results, and document employee understanding of relevant policies, procedures, and compliance requirements.

 

The platform also includes a library of compliance-related questions and answers, making it easier to build targeted awareness activities that support frameworks such as ISO 27001.

 

Learn More About the Awareness Module  →

 

With NorthGRC, awareness is an integrated part of your compliance setup. By managing policies, controls, and awareness activities on a single platform, you create a clear link between compliance requirements and employee behaviour. This eliminates the disconnect that often exists between training systems and compliance management tools.

 

The result is a more structured and auditable approach to human risk management, where awareness is documented as a control rather than a separate activity.

 

 

Ready to turn awareness into a natural part of your GRC programme?

NorthGRC makes it easy to plan, run, and track compliance awareness campaigns — from quizzes and training to management reporting. See how we can help your team make compliance stick.

Book a free demo Explore the platform