No matter how advanced our technology becomes, employees will always be the first and last line of defense against information security risk. Even in the unlikely event of achieving 100% efficiency in combating cyber attacks, staff can still fall prey to myriad physical risks such as laptop loss or theft, eavesdropping and social engineering. For the foreseeable future, employee awareness of the key information risks and ways to avert them remains imperative.
Tailored
Growing global awareness of this issue has been met with a worrying increase in the number of off-the-shelf policies and awareness training packages. Simply download and deploy. There’s even a space to put your logo.
Off-the-shelf may be cheap, but it’s a shot in the foot when battling something as specific to an organization as information risk. While there will always be standard measures that everyone must observe, off-the-shelf solutions fail to address an organization’s unique systems – leaving them wide open.
Off-the-shelf also fails to take into account an organization’s unique brand and culture. That means it’s unlikely that the messages are being communicated in a manner that will engage staff. This is why the days of generic ‘white label’ campaigns that tick the box of delivering cultural behavior change are thankfully long gone.
Mindset
Another problem with off-the-shelf awareness solutions is that they rarely instill an information security mindset. I’m sure we’ve all seen examples of the instantly forgettable acceptable use policy (AUP) that cites over 100 different dos and don’ts. If the human mind on average only remembers five items from a piece of communication, then it’s far better that those five items instill a mindset that employees can apply to every task they undertake. This also helps to seal the employee’s relationship with the AUP as a valuable reference manual for specific instructions.
Forward-thinking organizations go one step further. With such an extensive overlap between personal and workplace information security, awareness campaigns can profit from addressing both. Focusing solely on the workplace runs the risk of information security being seen as something that is only selectively applied.
Personal
Good communication must take account of self-interest. If you don’t make it personal for the audience, then they may not be interested enough to listen. Motivating employees into action requires a demonstration of how information risk affects them directly – another great reason to focus on both workplace and personal risk.
If the employee ‘feels’ the personal and professional impacts of an information breach, including the way in which organizational damage can ultimately lead to a headcount reduction, there is a significantly greater impetus to apply caution to every task.
Economical
Internal communications budgets must be cost-effective. So why waste resources teaching things your staff members already know? Doing this also introduces the risk of the audience switching off before you come to the bits they don’t know.
A simple benchmarking exercise at the outset of an awareness campaign reveals where the knowledge gaps exist. This not only allows you to tailor the content, it also allows you to prioritize – addressing those areas of risk that present the most immediate threat to the organization.
Cohesive
Effective communications campaigns employ a mix of high-impact methods to deliver messages – posters, presentations and quick-guides to name just a few. However, each piece must be seen as part of the same campaign, preferably through the use of a strong visual identifier that is unique to the culture of the organization. Every time a new message is added, the mind automatically associates it with the wider campaign. Over a period of time, these messages aggregate into a steadily building and easily accessible body of knowledge that reinforces the essential information security mindset.
Weighing Up the Costs
To close, let me briefly touch on the subject of weighing up the cost of a bespoke information security awareness program versus a generic one. Naturally, this must be based on a solid information risk analysis, in which I believe three factors to be most critical.
First, consider the cost of a fine if a breach occurs. The nature of the organization will of course have a bearing on this, with those handling more publically sensitive information generally being at risk of higher fines where applicable.
Second, consider how much the organization’s competitive advantage would be affected if its operational or strategic information were to wind up in the hands of a competitor. For example, technology companies have potentially more to fear here.
Finally, consider how big the bulls-eye on your back is. There’s a big difference between being relatively anonymous within a low-risk sector and being a high-profile household name or operating within a target industry such as banking and finance.
Every organization is unique, which means every organization has its unique information risks. If it holds publically sensitive information, relies on its competitive advantage or attracts a great deal of attention, then a generic awareness program could leave you dangerously exposed.
Keith Ducatel, director of Article 10 Security Engagement and Awareness, has over 14 years of experience in internal and external communications for major global brands, including BP, Diageo, Microsoft, Samsung, Toyota, UBS and Unilever. For the last five years, he has focused on the escalating issue of engaging employees about information security. Ducatel is an active member of the Corporate Executive Programme (CEP) and the International Cyber Security Protection Alliance (ICSPA).