In a previous post we discussed the challenge of communicating security awareness in your organization   Specifically, if your training is a scheduled event you will average no more then 5% show-up rate.  For your training to be effective people need to be able to take it when they want from wherever they want. I mentioned at least four different methods that I have seen work well;  online videos,  blogs, newsletters and stickers. Today I will cover newsletters.   What I like about newsletters is the following.
  1. First, and most importantly people can read newsletters on their own time, this is content they can take anywhere with them, either in digital or paper format.
  2. Newsletters make a great reinforcement method as they can go into greater detail then a video or blog.
  3. Newsletters are very in-expensive to create and distribute.  This is an effective resource you can create yourself.
  4. Be sure to include references, stories or statistics in your newsletter that apply to your own organization.  Recently had a security assessment?  Share some of the highlights of the result.  Recently had a phishing incident?  What did people do right or wrong?  The more information you share specific to your organization, the more engaging your newsletter.
  5. Keep it short and non-technical, I recommend no more then two pages.  It never hurts to have a high-impact image in there.
  6. I suggest distributing your newsletter once a month.  Anything more and it is hard to maintain quality and people get overwhelmed with information.    Anything less and there is too much of a time gap between the reinforcement.
If you do not have time or resources to develop your own security awareness newsletter, consider subscribing to OUCH! This is a free security awareness newsletter developed by SANS senior instructors and a board of editors and translated in over ten languages.  You are free to distribute this newsletter internally as part of your awareness program.