Most of our customers are multinational companies employing people worldwide. These customers often encounter resource limitations related to reaching out to their distributed employees and engaging them with security awareness. Such limitations take the form of fewer face-to-face meetings (especially during the past couple of years), less customized content, and a lack of familiarity with other cultures and their cyber risks.
We find that there is almost a direct correlation between the distance from a company’s headquarters and compliance with internal operating procedures. This isn’t new, of course. Knowledge transfer is a widely recognized problem in the world of knowledge management. (For those of you who want to learn how to make knowledge more transferable and eliminate some of the barriers related to knowledge diffusion, we recommend reading ‘Sticky Knowledge’ by Prof. Gabriel Szulansky).
When designing security awareness training (especially phishing simulation campaigns) for multinational companies, there are numerous pitfalls to avoid and considerations to be made. Here, we will discuss first the pitfalls and then outline the options lying ahead of you when operating such a program.
It’s the first day of launching an awareness training program, and already you have two responses from senior managers abroad. What a great way to start! You dive into the first email. It’s from a colleague in the Russian branch asking you if you’ve coded the landing pages yourself. You look at the attached screenshot, and you’re in shock. It’s not what you created. Apparently, the Russian translation is much longer than in English. The outcome: misplaced header borders, giving the page an amateur look.
With some apprehension, you proceed to the next email from a colleague in Israel asking you why all the training content addresses men only when the local workforce is 56% women. You’re taken aback. You? Discriminating on gender? How were you to know that there are languages that are gendered by default?
When writing training content, there are a few critical guidelines to follow:
1. The content should be eloquent, it should be free of grammatical errors, and use an appropriately professional tone.
- The recipient should find the content clear and to the point, regardless of their education level or reading habits. The language used should not be too ‘high,’ nor too ‘low’.
- The content should be as personalized as possible. Personal messages are more memorable and have more impact on recipients.
- The positioning of the text within the designed page should be proportional and aesthetic according to best practices.
2. In gendered languages where the male or female form involves different words, every effort should be taken so that content does not discriminate based on gender.
Following these guidelines is admittedly difficult; adapting them to different languages is another challenge altogether. Let’s consider eloquence, for example. Most translators know that translation is a compromise between adhering to meaning and adhering to style. In most cases, achieving both is nearly impossible. Keeping translated material both personal and non-discriminatory while translating the text into different languages also requires significant skill. Even design presents challenges: the characters of some Asian languages take up only a third of the space required for some European languages, for instance, so that placeholders that fit certain Asian languages perfectly might seem overcrowded in the case of European languages.
Working hours and holidays
You’ve been reviewing the results of your latest multinational phishing campaign. The results show actual improvement, especially across some European countries. Two months later, you see an unexplainable increase in individuals falling prey to phishing activity within those specific countries that had shown the greatest improvement. Baffled, you call an overseas colleague, only to learn that your earlier campaign landed in employees’ inboxes during their vacation. As a result, click rates plummeted.
It’s safe to assume that there are working days and non-working days in every country. Although hackers aren’t known for caring much about employee well-being, it is of primary concern to you when engaging your employees in security training. In some cultures, for example, it may be common practice to send employees emails over the weekend or on holidays, whereas in other countries, this might seem offensive. Every good training program has to factor in such elements. Remember: you can only control the training, not the learning. For learning to occur, employees have to be in the right mood—and in some cultures receiving an email at 10 pm will not result in a good learning experience, whereas in others it would be totally acceptable.
One of our favorite phishing simulations involves offering free coffee in our totally fake coffee chain. Employees often do need a shot of coffee and there’s nothing like some delicious free java to bait them into clicking a link. But how do you localize such a simulation to countries in which coffee chains are nonexistent, or perhaps, where coffee pales in comparison to tea? Similarly, if you reference the US elections in a phishing simulation, it won’t have the same effect in your US branch as well as in your Polish branch.
Beyond this, how do you translate brands: globally, or locally? Should you use a local language transcript? Is it better to use the translation or keep the brand’s name in its native tongue? Each of these parameters impacts simulations’ effectiveness, as well as their respective training content.
But localization goes beyond just phishing simulations. Issues such as content design might require much more delicate handling. Is your punchline offering too much of a punch? Are you subtle enough? Or are you too subtle? Some cultural elements involve the local context, and some, the corporate context.
Here’s another scenario for you. Let’s say that before launching your first security training campaigns for your company’s two largest offices—in Beijing and in Johannesburg, respectively—you asked a colleague for advice. That was a close call. The bold red banner you planned to use in China won’t go over very well in South Africa, where red is a color of mourning.
How you incorporate color into the layout of your design, and the deliberate placement of key elements in your layout has an impact on employee sentiment and engagement. Color theory references offer some perspective into emotional connections to colors from a western perspective; however, you’d be wise to consider that colors in different cultures are interpreted differently.
Email and website heat map tools provide a visual representation of how a reader experiences your digital content. These use sophisticated software that tracks a user’s cursor and display corresponding “hot spots”, which are spots where the reader spends time and clicks, and “cold spots”, where the reader ignores them.
6 Tips to Avoid Challenges in Your Global Security Awareness Training
Now that we’ve outlined the possible pitfalls and considerations, here are rules to make your life easier:
- Avoid the One-size-fits-all content: Are you shipping the same training content to all of your satellite offices all over the world? You might save time up front, but it’ll lead to huge headaches later on.
- Pay Attention to Design Elements: Use wide content placeholders; shorter content looks fine in a single row, whereas longer content becomes unwieldy if the placeholder’s height exceeds its width.
- Invest in Content Translation: Work with high-end translators and create a style guide that reflects your expectations. When developing content for a new language, always ask a local representative to review it to be sure you haven’t missed anything.
- Research Local Elements: Do you conduct in-depth research, make sure you use local names and currencies and references to relevant events when localizing your phishing and awareness training content?
- Utilize Short Text in Video: Imagine your videos with short and long texts. Make sure that the majority of the text is located in parts of the video that allow flexibility (that would usually be in the upper or lower ‘third’ of the video)
- Adjust Working Hours and Holidays: Always consult human resources on appropriate timing. It’s a smart move to consult them as part of a multinational enterprise (as our customers are), but it’s especially important to make sure you have the HR policy accessible when planning your security awareness training program.
CybeReady’s autonomous training platform embeds all translation and localization elements into the program so your team can achieve maximum employee engagement with no effort. To find out why global companies worldwide choose CybeReady, meet our team for a short product demo.