Iceland Security Awareness Company AwareGO. PHOTO: Cybercrime Magazine.

60-Second Videos Prove Effective For Training Employees on Security Awareness

Iceland Based Cybersecurity Training Company AwareGO Making Security Awareness Entertaining and Memorable.

Georgia Reid

Northport, N.Y. — Sep. 12, 2018

If there’s one thing we should all remember, it is to think before we click. But as it turns out, most employees don’t do that. That’s because they haven’t been properly trained on how to detect and react to spear phishing and other types of cyber attacks.

Cybercrime Magazine Reporter Kerry Morgan traveled to Reykjavik, Iceland, last month to visit cybersecurity awareness training company AwareGO. Founded by CEO Ragnar Sigurdsson, CISSP, the company offers a unique and innovative way to reach a diverse audience with videos and a forthcoming app. AwareGO has mastered the formula to get end users to buy into cybersecurity education — and super-short videos are the secret sauce.

Here is the interview:

KM: Can you tell me a little bit about your background and how you got started here at AwareGO?

RS: First I was a computer trainer. After I earned my CISSP and CEH in 2003, I was a penetration tester.

During my time as a penetration tester, I realized that humans are the weakest link when it comes to breaches. They were back then, and they still are now.

I would be doing PowerPoint presentations telling people what they should be doing online to stay safe, and I constantly felt as if I was sucking the life out of them with my slides. Nobody cared. It wasn’t interesting enough.

I thought to myself, “there has to be a better way to do this,” and in 2007 we created our first security awareness pilot episode at AwareGO. It was 15 minutes long.

KM: How has AwareGO changed since 2007? It seems like you’ve really hit your stride and found the right format to present these videos now.

RS: That’s right. We kept tightening up the videos, from 15 minutes, and then twelve episodes that were each 8 minutes long. We ended up cutting the videos down to 3 minutes, and then by 2012, we cut the videos down to 1.5 minutes.

Once we cut the videos down to 1.5 minutes, that’s when we really started to see the sales taking off — we found the length of the video was a huge factor. 

Today almost all our videos are under 60 seconds, some are even just 30 seconds.

If people feel like they have to sit down and watch a long video or take a long course, they’re less likely to actually do it. No one wants to feel like they have to postpone things in our busy daily lives to watch one of these videos.

KM: What are your videos about? What is the main takeaway someone gets from them?

RS: Our main mission is to make memorable messages that stick in people’s minds when it matters the most — that is what we’re trying to do with our videos. Think of these short films as, essentially, advertisements against bad behavior on the internet. So if users know the videos are shorter and they don’t have to put off important things to take the time to watch, it makes it much easier to sit down and do it. I like to say that everyone has one minute to learn something. 

KM: What kind of understanding would you estimate the average corporate worker has about cybersecurity?

RS: I believe they think the ‘IT guys’ are taking care of it. Most think they don’t need to worry about it and they’re safe behind some firewall, but the bottom line is a lot of times they think they are protected when they’re not.

KM: Do you think companies are doing enough when it comes to security awareness training for their employees?

RS: I think companies can always be doing more. Security awareness is getting way more exposure now than it used to, and especially now that the GDPR has made security awareness mandatory for companies.

KM: What do you think is the most important thing about security awareness?

RS: I would say to strengthen the overall security of the company. You can never be one-hundred percent secure but you can increase the overall security functions of a company’s network. It is a combination of security training, anti-virus programs, and a solid firewall, all together.

KM: How would you describe your main customer base and where can they find out more?

RS: Traditionally, our customer base has been large enterprises.

We have been branding to small sized businesses recently. And in the near future, we are launching an app to serve micro-businesses and individuals, and it can be bought right in the app store. Through this app, anyone can take the security awareness training and receive certifications.

Now, users can also try and buy our product online without talking to a salesperson. You can just directly go online and purchase. On our website, we offer free trials for up to 500 users, offering a system test and videos. This was just released in August 2018.

KM: How has the GDPR affected your business?

Everyone. Because of the GDPR, if you handle Personally Identifiable Information (PII), no matter your company size, you need to comply. Increased business for AwareGO can be attributed to the GDPR – and not just from European companies, but also from US and Asian companies that handle European PIIs.

KM: What is the best piece of advice you could give a corporate employee to be more secure?

RS: Think before you click. Our videos are the same as commercials on TV telling you to put your seatbelt on, or not to text and drive. It’s nothing that people don’t know, but rather something they need to be reminded regularly to realize the severity of the risks.

KM: What do you think the future holds for AwareGO and Iceland?

AwareGO has focused a lot of efforts in Iceland and we have had a lot of success in doing so. We provide service to banks in Iceland, all municipalities, many government bodies, tax authorities, and more. We have 35,000 users in a country with a population of just 350,000 – and we expect to reach 45,000 by the end of the year, primarily because of the GDPR.

Kerry’s Review: The online and app version was very user-friendly. It’s a simple program for the user and administrator to use. Admins for the customer company can see all of the users’ (employees’) activity and where they are with the videos. Admins can also send out reminders or campaigns to some or all departments (i.e. the HR department of a company reminding them to take their courses and training videos). At the end of the video, there is a short quiz for the user to take. You receive a certificate after you complete your training.

– Kerry Morgan is a Cybercrime Reporter for Cybercrime Magazine.

Georgia Reid