Cyber-security: 10 ways to convince your people to take it seriously
It’s hard to motivate your team to think about vulnerability management and IT security, so here are 10 management tips to make your people realise that they are your first line of defenceGuest blogger Chris Barrington
Despite popular myth, much cybercrime actually originates with an organisation’s’ weakest link, its employees.
Yet employees are capable of being turned into a company’s strongest line of defence.
Whilst a basic level of understanding might be sufficient to prevent lapses in adhering to rules that are often the root cause of breaches, well informed and motivated employees are capable of creating an IT security environment that is based on commitment and not just ‘compliance’.
The key issue is that many employees perceive information security as onerous. And if information security is introduced in an overly directive manner, it is likely to be counter-productive, heightening rather than reducing organisational risk. As a consequence, shifting cyber security from prescriptive and dull to engaging is vital, and it hinges on employee communication. This is not, however, a simple matter of improving ‘internal marketing’ or an annual refresher of the compliance training module.
Turning employees into a staunch line of defence requires a number of strategic approaches, here are ten of the best:
1. Resonating Shifting perception around Information Security means ensuring your message is heard, understood and easily adopted and adapted to by those you want to reach. Employees need to be receptive to your message so it’s really important to engage on their terms, not just yours. Work out what will resonate for each segment of your audience.
2. Connecting To engage requires making both a rational and an emotional connection to guide employees along the “message received > understood > acted upon” continuum. This means carefully defining the tone and nature of any communications, having a clear, informed understanding of the pervading culture and the personal and contextual nature of Information Security in employees’ day-to-day lives.
3. Simplifying If it appears complex, busy employees won’t want to engage with your message. Simplifying takes effort, determination and often ingenuity but it’s always worth it. Try taking a higher level view, away from the dense undergrowth of policy and procedure.
4. Messaging Employees need to understand the risk, their role and the actions they should take. Consider two broad types of communication: Generic communications that set the essential context and focus broadly on “how to think” about information security; and issue-specific communications that focus on “what to do” about defined risks and aspects of security such as working off site, phishing e-mails and information classification.
5. Action-oriented To be transformational this approach needs to have defined outcomes, such as a response or a reaction of some kind. Ultimately this has to affect not only what employees think and feel, but critically what they actually do. It has to ‘help make change happen’. This is not about plastering a set of imperatives or instructions, just the clear articulation of how employees can do the right thing.
6. Integrating Every organisation has its own mix of cultural norms, a set of established ways that people operate every day, and that includes how communication works. Therefore any strategic planning must always be bespoke and tailored. There is no silver bullet or magic answer. Cut and paste will not work.Careful, informed thinking is needed to integrate the right cyber-security thinking and practices.
7. Space invaders Of course knowing about cultural norms and communication channels doesn’t have to mean more of the same. In fact, looking for ways to allow your activities and communications to be engaging might mean challenging these norms. Think about trying to “invade the spaces” that exist both literally, in the business environment, and conceptually, in the gaps in how we think and behave.
8. Be distinctive Information Security is just one of many topics competing for employee’s attention and the noise level is often deafening. Not only does your communication need to stand out, it needs to stick. And stay stuck. An effective creative platform should have the creative and intellectual glue to help ensure your communications are distinctive, coherent, compelling and effective.
9. Ongoing Successful campaigns are those that recognise that influencing behaviours around a difficult subject is an ongoing challenge. Threats, systems and people change. Information Security needs to be business as usual, and all employees need to be reminded and updated about things – most especially on their pivotal role in doing the right thing.
10. Measurable And finally measurement. The most elusive and also possibly the most divisive component of communication strategy. Increasingly, someone somewhere wants to convert it all into a number. To know the ROI, the benchmark levels and the changes. The right measurement could help you understand how effective you are and how the culture is shifting. It could help inform about gaps, modifications to activities and benchmarking. It could be very useful in getting the resources you need, and lots of other fine, very good reasons.
But it’s worth realising that it is not a simple or singular activity. There are some pretty easy ways to measure awareness, but really it comes down to the old adage of ‘things you can count or things that count’. “Did you see the poster?” is an awareness-based question – you can put it to as many people as you like and get some hard numbers. But finding out if they actually carried out the action can be a completely different thing. And of course it’s the critical thing.
Having clear objectives at the outset will usually enable a set of appropriate measures to be formulated, or at least provide a glimpse as to what is going on, if not hard and fast proof.
It’s worth remembering that in most cases the principle goal here is for long-term sustained behavioural change, not a reactive blip. In other words the desired behaviours become part of business as usual – the very DNA of the organisation.
So perhaps, it’s also worth thinking about what the ultimate measure might be for Information Security awareness. This could be the ability for an organisation to recover from a security incident.
This might appear a bit radical, but it is based on the premise that you can never absolutely mitigate against human error. It is when and not if an incident occurs.
The true measure then is perhaps in the ensuing incident investigation, and the aftermath. And being able to provide evidence as to how your organisation had taken all reasonable and appropriate measures to minimise and mitigate against such an incident.
It’s reasonable to assume that any answer would have to include technology, training and people. Maybe then, the ultimate measure is therefore also the confidence of your organisation and leaders to be able to demonstrate that any incident was indeed an isolated case of individual beomputerhavioural dissonance and not a systemic failure of culture.
So perhaps the ultimate measure is a measure of how well you or your CEO sleep at night…
Chris Barrington is managing director at employee communication agency, Blue Goose