It is a well-recognized fact that cyber-crime frequently starts with an organizations’ weakest link, its employees. What is less well known is how to turn employees into a company’s strongest line of defense.
The fact that information security is generally introduced in an overly directive manner immediately makes it counter-productive, heightening rather than reducing organizational risk.
Shifting information security from prescriptive and dull to resonant and engaging is therefore a vital step that hinges on employee communication. However, it goes way beyond improving ‘internal marketing’ or an annual refresh of the compliance training module. Turning employees into a staunch line of defense requires a number of strategic approaches, here are some of the most impactful:
Resonating
Shifting perception around information security means ensuring your message is heard, understood and easily adopted and adapted to by those you want to reach. Employees need to be receptive to your message so it’s really important to engage on their terms, not just yours. Work out what will resonate for each segment of your audience.
Simplifying
If it appears complex, busy employees won’t want to engage with your message. Simplifying takes effort, determination and often ingenuity but it’s always worth it. Try taking a higher level view, away from the dense undergrowth of policy and procedure.
Messaging
Employees need to understand the risk, their role and the actions they should take. Consider two broad types of communication: generic communications that set the essential context and focus broadly on “how to think” about information security; and issue-specific communications that focus on “what to do” about defined risks and aspects of security such as working offsite, phishing emails and information classification.
Orienting
To be transformational, this approach needs to have defined outcomes, such as a response or a reaction of some kind. Ultimately this has to affect not only what employees think and feel, but critically what they actually do. It has to ‘help make change happen’. This is not about plastering a set of imperatives or instructions, just the clear articulation of how employees can do the right thing.
Integrating
Every organization has its own mix of cultural norms, a set of established ways that people operate every day, and that includes how communication works. Therefore any strategic planning must always be bespoke and tailored. There is no silver bullet or magic answer. Cut and paste will not work. Careful, informed thinking is needed to make the right choices.
Invading
Of course knowing about cultural norms and communication channels doesn’t have to mean more of the same. In fact, looking for ways to allow your activities and communications to be engaging might mean challenging these norms. Think about trying to “invade the spaces” that exist both literally, in the business environment, and conceptually, in the gaps in how we think and behave.
Distinguishing
Information security is just one of many topics competing for employee’s attention. Not only does your communication need to stand out, it needs to stick - and stay stuck. An effective creative platform should have the creative and intellectual glue to help ensure your communications are distinctive, coherent, compelling and effective.
Ongoing
Successful campaigns are those that recognize that influencing behaviors around a difficult subject is an ongoing challenge. Threats, systems and people change. Information security needs to be business as usual, and all employees need to be reminded and updated about things – most especially on their pivotal role in doing the right thing.
It’s worth remembering that in most cases the principle goal is for long-term sustained behavioral change, not a reactive blip. In other words the desired behaviors become part of business as usual – the very DNA of the organization.
So it’s also worth thinking about what the ultimate measure might be for information security awareness. This could be the ability for an organization to recover from a security incident.
This might appear a bit radical, but it is based on the premise that you can never absolutely mitigate against human error. It is when and not if an incident occurs.
The true measure then is perhaps in the ensuing incident investigation, and the aftermath. And being able to provide evidence as to how your organization had taken all reasonable and appropriate measures to minimize and mitigate against such an incident.
It’s reasonable to assume that any answer would have to include technology, training and people. Maybe then, the ultimate measure is therefore also the confidence of your organization and leaders to be able to demonstrate that any incident was indeed an isolated case of individual behavioral dissonance and not a systemic failure of culture.