Reaching parts other information security awareness programmes cannot reach29 March 2019
Show the value of good information security behaviour.
The number of people in your Information Security team equals the number of employees in the business. In which case, you may have a lot of people to make aware of good information security behaviour.
And while bringing in technology (often at eye-watering cost) reduces risks and eliminates certain threats, it won’t stop the errant employee from clicking that dodgy link or propping open a security door with a box of confidential files because the air-con isn’t working.
Given this, it makes sense to place people at the heart of your information security approach. In essence, you are aiming to change behaviour.
“What? I’m not a behavioural change psychologist!” I hear you cry. That’s ok, you don’t have to be.
What you must do, however, is take a canny approach and get everyone on board right from the start. Borrowing techniques from your Marketing department will help.
The marketing approach – define the value
There are as many definitions of marketing as there are fish in the sea, but the more universally-received ones revolve around value.
One definition I particularly like is: ’Marketing is systematically communicating your value to people’, where ‘value’ is the positive impact your product or service can create in their lives.
In the information security world, we need to demonstrate the value of good behaviours to our staff. We are seeking to bring about behavioural change by demonstrating the value of that change to the individuals concerned. So, what strategy should you adopt, what pitfalls must be avoided and how do you achieve this desired outcome?
First off, define the value. This can be divided into value to the
company and value to employees – both at work and at home.
Value to the company is reasonably straightforward. If information is cared for properly and there no breaches there will be no service/production interruptions (with their associated penalty costs), brand reputation damage, loss of business, regulatory fines, legal settlements and so on. The company’s bottom line and ability to look after its employees is maximised.
For personal value, we must take information security into employees lives. Make it clear that good information security behaviour at work can be taken into the home; creating and securely storing strong passwords, avoiding scams and not clicking suspicious links or attachments, to name just a few examples.
Now we are talking to people on personal subjects, we immediately increase their engagement. Using themes related to their family, banking and online shopping shows that every information security behaviour they adopt makes them (and their family) safer – saving them time and money.
Given that Which? estimates online shopping fraud cost the UK £58m in 2017 with over 800 incidents a week, it is not a big leap to understand the benefits of being vigilant online.
How to engage your staff
The message is simple: placing value on your personal data and adopting secure online behaviours will save you from inconvenience at best and financial disaster at worst. But how do you get this across?
Again, no rocket science involved here. Go back to your Marketing and Internal Communication colleagues (they may be one and the same) who daily take their audiences on a journey. Plan an awareness campaign that uses multiple channels; face-to-face training, videos, e-Learning, merchandising, the whole nine yards.
From working with our clients, we see videos that re-enact real-life scenarios generate a huge impact. There are plenty of examples on YouTube of phishing campaigns, people giving away passwords, hackers secretly obtaining personal data and so on. The trick is to make it personal. Any content that makes someone think: “Wow, I would have fallen for that,” or “I’ve done that,” is priceless.
Being a little more clever, you may want to segment your staff and create content for their specific situation. For example, we find that younger age groups can display less secure behaviour in password management. Or you may want to bring to the attention of your older staff the dangers of fraudsters attempting to steal pension pots. Consider what you know about your staff and tailor content accordingly
So, big up the benefits!
As I hope you have gleaned by now, the success of helping people understand the benefits of good information security behaviour really boils down to common sense.
By delivering content that resonates with them personally, you are more than half way to success. Do this regularly and across all relevant channels and you’re over three-quarters of the way there.
Dialogue and education is what it’s all about. By taking a few leaves out of the marketing communication playbook, you can appeal to and – more importantly – grab the attention of your employees, opening their eyes to how they can benefit.
So, while your Information Security team equals the number of employees in the business, using the expertise and knowledge from your Marketing and Communication teams can enable you to reach those parts of the business that are often untouched.