13 tips for engaging employees on Cyber Security
Negligent employees (users) and the devices they use in the workplace continue to be the greatest source of endpoint risk.
The above is a key finding from: 2016 state of the Endpoint Report. An annual report independently conducted by Ponemon Institute that investigates and identifies the biggest security threats facing organisations.
It reveals that it is employee ignorance, not malicious intent that is causing security breaches. This is something we’re actually all too familiar with given the experience we have in crafting global internal information risk campaigns. And it is a problem, that when left alone, is only ever set to increase given the hyper connected digital workplace employees now find themselves operating within.
It’s time organisations came to terms with the predicament, and took control by engaging employees on information risk. When this is effectively achieved the benefits are huge, with organisations experiencing protection against threats that no other security system could ever replicate.
Simply, employees need to become the first line of defence in the war against cyber crime, to help minimise the threat of internal information leaks, theft and the subsequent damage that can be caused. So, here are our top tips to help you and your organisation turn your employees into your organisations best security system.
1. Be clear on the employee behaviours that are placing information at risk.
Furthermore, identify the behaviours that employees recognise as being ‘risky’. The goal here is to then distinguish the risky behaviours that employees are unaware of, that they are likely to be performing. Identification of these ‘cause for concern’ behaviours that are not acknowledged by employees, will help inform the weighting of initial employee communications and training.
2. Educate first. Train second.
Apologies if this is somewhat teaching your Grandmother to suck eggs. But as with all behaviour change campaigns, you first need to begin by educating employees on the different behaviours that you have identified – in tip number one.
Through education you can make them aware of the need for the behaviour change – both for the organisation and the individual employee.
Training should then follow a period of awareness. The training will help to identify the elements of the awareness campaign that have worked, and the areas that require further attention.
Awareness and training on cyber security is something we strongly feel should be part of an employee’s on boarding process. It’s important to remember that as an organisation you are trying to build a security conscious culture, so it should be a vital component of initial communications an organisation has with a new employee.
At the other end of the spectrum, cyber security should also be a fundamental part of an employee’s off boarding process. However, this will clearly fall into the hands of the IT department, who should have clear processes to follow to guard against security threats from a leaving employee.
3. Make employees feel part of the solution, not the problem.
A command and control approach – like it is for all other types of internal communications – is not as effective as one that instead empowers employees so that they are behaving in a way that they feel they are doing so with autonomy.
Encourage personal responsibility, not personal blame. Where possible try to demonstrate the benefits to the individual of a security first mind-set. Constant scare tactic communications can often lead to employees trying to ignore the issues at hand, out of fear.
4. Messages should be simple and jargon free.
Initial awareness communications need to be easily understood by all. You need to avoid jargon that appears to be aimed only at certain groups – ie leadership or IT staff. It’s amazing how the use of language can inadvertently alienate certain audiences by using words that only those in certain job roles would relate to.
Information risk is not the sole preserve of IT. It is now each and every employee’s responsibility. It therefore needs to be communicated in such a way. Doing so also allows different departments to hold better conversations with one another on the subject, as they are all talking a common language.
5. Identify the different audiences to reach, and how best to communicate with them.
Building on from the previous point, is however the need to also identify different audiences, so as to be aware of the different behaviours at play. One issue that we’ve no doubt will come up, is how IT will deem themselves to be beyond the need to know about information security risk – after all they see themselves as those who are fighting the battle on a daily basis, so are well versed on the subject. While of course, IT staff will likely be better clued up, unfortunately their confidence can also be a huge security threat. They are prone to cut corners, and to deliver solutions and data to senior leaders not strictly by the book.
It is important to identify these more specific behaviours that require changing. Also, how you communicate directly with and train these types of employees needs to be different as to how you would with an employee outside of the IT department. Again, IT will see themselves as being above the ‘everyday communications’ so you need to talk to them on their level. Make them feel even more so part of the solution, and challenge them further. Even pit them off against one another when using games to change behaviour. This is again something we have found worked well in the past, as it provides them with the opportunity for kudos amongst their peers. IT folk are a competitive bunch.
There is one other key audience, one that is also continually growing – remote workers. Given their dependence on remote collaboration, access to information, and the use of mobile devices to do so, they are clearly an audience who could be at risk from security breaches.
All leading organisations know of the need to avoid alienating remote workers, and this is vital when it comes to engaging them on information risk management. Mobile apps are a key weapon in your armoury to draw on for engaging remote workers. But more so is the need to view these employees as you would an office based one. It is just a case of channel strategy and management.
6. Clearly explain and define preventative policies
Well documented policies need to be easily accessible to employees, so that when they find themselves in positions of uncertainty they can refer to existing policies to help guide their behaviour.
These policies can arguably be best served to employees in the form of an app. A few quick taps on their device of choice can provide them with the answers they need. Answers that often tend to be needed when in situations away from the office and other peers/managers – meaning their mobile device is the only confidant they can turn to.
7. Have clear policies and procedures in place for employees to follow in the event of an information leak or attack.
Clearly, prevention – point number 6 – is better than cure. However often when the symptoms of a data breach are quickly spotted and acted on, the damage of a threat can be significantly reduced. Employees should not only be versed on recognising when something has happened that poses a threat, but also exactly how to respond.
Again, having a resource of information that they can quickly turn to for support is vital. And it is important organisations strictly adhere to policies. For example, if an employee loses a laptop/phone, they must report this loss to the appropriate department/person, only then will they receive a replacement. On occasions we’ve seen the absence of procedures, whereby employees do not need to report the loss of a device, they simply just get a new one, no questions asked. Not only does this behaviour mean that the right people are not notified to remotely wipe data from the lost phone, but it also means the organisation is not keeping a track of data loss – so they do not know the areas to focus on to improve.
8. Know how to communicate to employees in the event of a cybercrime incident. Just as individual employees need to know how to respond to a security threat, so does an organisation.
Organisations – post cyber-crime incident – failing to make employees aware of the details of the situation, has become all too familiar. It is important that employees are quickly brought up to speed on the issue at hand, and then regularly communicated with as to how it is being resolved.
Having an established internal communications plan and strategy to execute is therefore necessary, to help expedite an organisations response. A quick response can not only guard against employees facing any further danger, but it also shows employees the security threats the organisation has to deal with. This, admittedly not ideal, can be a good way to communicate and educate employees on cyber-crime – by showing them a real, close to home, example. As they say, every cloud…
9. Encourage employees to report a potential risk.
Never make fun of an employee’s security concerns. This type of behaviour needs to be actively encouraged as it promotes conversation on the topic.
Organisations need to of course take note of the incidents or concerns being reported. That way, if the same ‘false alarms’ are continually being raised, then it is up to the organisation to address them in their communications and training programs.
There really is no such thing as a silly security concern. Better safe than sorry.
10. Regularly test employee’s cyber security knowledge
Cyber security knowledge shouldn’t be seen by employees as a one-time box ticking exercise. Knowledge that isn’t used and tested is very quickly lost. Therefore organisations need to keep this security knowledge fresh by regularly testing it. Incentives are advisable to use in order to motivate people to keep their knowledge updated. And tests should be engaging, so much so that participants do not feel like they are being tested. We have actually had good success with digital games. These were highly engaging, and importantly fun – helping to bring, the dry and often negative nature of information risk, to life in an exciting way.
11. Hold regular sessions to explore the ever changing types of cyberattacks.
Much in the same vein as keeping employees continually engaged on cyber-crime, so too should the organisation remain updated on developments. New devices, apps, and data, not only brings with it new routes in and out for would be cyber criminals, but it can also lead to changes in employee behaviour. Organisations therefore need to stay on top of the changing threats – as change they certainly will.
12. Use employee ambassadors or ‘security champions’
Employee ambassadors can not only help amplify communications, but also by acting as the point of call for employees, they can listen to and advise employees on their security issues. This form of listening provides internal communicators with excellent feedback to help inform further communications and training.
Employee ambassadors are excellent because given they are – well, should be anyway – from different parts of the organisation, they can better reach and connect different employees and departments to each other. This is crucial in order to effectively shape culture, and to make the communications and training more organic and believable, rather than them being seen as just another corporate initiative.
13. Use storytelling
It’s fair to say, that internal communicators now know the power that is held in storytelling. Storytelling should be at the heart of all internal communications.
Everyone loves and can relate to a story.
Stories are particularly great when the audience feels like they are a part of them. And so storytelling for cyber-security needs to be used in the context of the audience – specifically told through the eyes of an individual. We have had success with this by identifying possible scenarios for a range of different employees and using storytelling to illustrate the cause (the beginning), the actions (the middle), and the consequences (the end). When storytelling is effectively leveraged, employees are able to see the importance of personal accountability and responsibility – helping to diminish the ‘it’ll never happen to me’ viewpoint.
What we’re hoping should now be clear is how Information Risk Management, and so the fight against cyber crime, is something that should not be seen as merely a problem for IT to solve. Instead, fighting cyber crime is a collective responsibility for the whole organisation.
Therefore, a change in culture is what is required. One in which all employees have a security first mind-set when approaching everything they do. Unquestionably, organisations with a security conscious culture are the ones who will best guard against security threats, while at the same time not sacrificing business performance in any way.
By focusing on the thirteen tips we have outlined, you will be well on your way to achieving a security conscious culture. But of course, having the help of an established Internal Communications agency, one with many years of experience in helping the worlds largest organisations fight against cyber crime, will no doubt help you too.
You know where we are 😉
Until next time…