The financial crisis of 2009 triggered a spotlight that has been shinning on organisations’ risk, internal control, compliance and governance ever since.
These issues are increasingly receiving attention and despite the increase in so-called ‘e-learning’, employees are as likely to cause a breach as viruses and other types of malicious threats. Yet employees are just as capable of being turned into a company’s strongest line of defence. Article by Chris Barrington, Managing Director at employee communication agency, blue goose.
One underlying cause for employee vulnerabilities is that information security mechanisms are too often chosen to protect the technology, without considering the impact on the business processes they are actually supposed to protect. In effect they get in the way of “getting the job done”. Put another way, information security and employee convenience appear to be inversely related.
To compound matters, as the threats increase, so do the number of security measures that employees are subjected to. Employee’s negative experience of security reduces their inclination to follow security policies, and creates negative attitudes towards security. Organisations, believing that their employees are the problem, attempt to mandate compliance through polices, procedures, mind-numbing e-learning and sanctions. This approach never works but rather creates an expensive and ineffective vicious circle that often undermines company culture and values.
Turning employees into a staunch line of defence first requires recognition that employees are the solution not the problem. Then it requires a re-balancing of effort with an equal focus on engagement and not just compliance. This is not, however, a simple matter of improving ‘internal marketing’ or an annual refresher of the compliance training module. Here are nine of the best ways to help employees become trusted allies.
Shifting perception around Information Security means ensuring your message is heard, understood and easily adopted and adapted to by those you want to reach. Employees need to be receptive to your message so it’s really important to engage on their terms, not just yours. Work out what will resonate for each segment of your audience.
To engage requires making both a rational and an emotional connection to guide employees along the “message received > understood > acted upon” continuum. This means carefully defining the tone and nature of any communications, having a clear, informed understanding of the pervading culture and the personal and contextual nature of Information Security in employees’ day-to-day lives.
If it appears complex, busy employees won’t want to engage with your message. Simplifying takes effort, determination and often ingenuity but it’s always worth it. Try taking a higher level view, away from the dense undergrowth of policy and procedure.
Employees need to understand the risk, their role and the actions they should take. Consider two broad types of communication: Generic communications that set the essential context and focus broadly on “how to think” about information security; and issue-specific communications that focus on “what to do” about defined risks and aspects of security such as working offsite, phishing e-mails and information classification.
To be transformational this approach needs to have defined outcomes, such as a response or a reaction of some kind. Ultimately this has to affect not only what employees think and feel, but critically what they actually do. It has to ‘help make change happen’. This is not about plastering a set of imperatives or instructions, just the clear articulation of how employees can do the right thing.
Every organisation has its own mix of cultural norms, a set of established ways that people operate every day, and that includes how communication works. And keep in mind that simply equating employee vulnerabilities with “undesirable behavior” is wrong. A behaviour that leads to a security breach in one context may be highly desirable in another (for instance, being helpful to customers, trusting a colleague).
Therefore any strategic planning must always be bespoke and tailored. There is no silver bullet or magic answer. Cut and paste will not work. Careful, informed thinking is needed to integrate the right cyber-security thinking and practices.
Of course knowing about cultural norms and communication channels doesn’t have to mean more of the same. In fact, looking for ways to allow your activities and communications to be engaging might mean challenging these norms. Think about trying to “invade the spaces” that exist both literally, in the business environment, and conceptually, in the gaps in how we think and behave.
Information Security is just one of many topics competing for employee’s attention and the noise level is often deafening. Not only does your communication need to stand out, it needs to stick. And stay stuck. An effective creative platform should have the creative and intellectual glue to help ensure your communications are distinctive, coherent, compelling and effective.
Successful campaigns are those that recognise that influencing behaviours around a difficult subject is an ongoing challenge. Threats, systems and people change. Information Security needs to be business as usual, and all employees need to be reminded and updated about things – most especially on their pivotal role in doing the right thing.
It’s worth remembering that in most cases the principle goal is for long-term sustained behavioural change, not a reactive blip. To have true impact the desired behaviours need to become part of business as usual – the very DNA of the organisation. A quarter of Brits post pictures on social media of drug taking and drunkenness – and it’s costing them jobs.