By Victoria Guilloit, Awareness & Education Manager at John Lewis Partnership and finalist in the Security Serious Unsung Heroes Awards.
I’m going to address the question of how we get staff to take security awareness (and by ‘security awareness’ I mean Cyber/Information/IT and Physical) more seriously, and it should come as no surprise that it’s all down to the planning…
Let me begin by saying that I’m not going to try and solve the issue of whether we label the ‘thing’ that we want our people to do as ‘awareness’ or some derivation of this – but this may unfold in a follow-on article. I will however state that by ‘staff’ I mean anyone working for or on behalf of an organisation – so yes that means both employees and at least, individual contractors.
A wise person once told me that in general, people want to do the Right Thing. I’ve carried that with me over the past 20+ years, together with a firm belief that the principles of what we are actually asking people to do (i.e if this information on paper or online is not suitable for everyone, how am I going to protect it on its journey?) are essentially the same; regardless of whether they are keeping a journal of the country’s biggest secrets in their desk drawer or writing about it in their Instagram story. We’ll revisit Cyber vs Information Security threat and risk another time, for now, let’s press on by considering what we might actually want these people to do.
Let’s say the end goal is to ‘create a culture of secure behaviour ‘and by this we mean that all staff:
- Understand the importance of applying secure practices, and following security processes and procedures;
- Know where to go for help and advice, and;
- Feel confident about speaking up if something goes wrong.
This seems pretty simple, but actually in order to really get this right there’s a lot we need to know. Before we can start telling them to choose a complex password for every system, keep a clear desk, and report funny looking emails to the helpdesk, we need to understand the culture of the organisation and its people, as well as the way that its processes and technology work.
Ok I realise that’s not what you wanted to hear. Surely there are some quick wins here? There’s loads of great security awareness material out there that I can get to educate my staff for free – why can’t I do that now?
Well, I did say I would answer the question of how we get staff to take security awareness more seriously. And the answer is, you figure out where you need to get to, and then you begin by taking the staff seriously on the topic. You’re thinking ‘Oh my goodness she wants us to send out a survey. This will never work!’, but bear with me: a targeted survey might be one solution, but so could a few well-placed conversations or, even better, a combination of both.
This is probably the right time to get ‘the leadership’ involved. Most leaders will be happy to put their name to a request for 20% of their staff to complete a short questionnaire, or for 5% to take 15 minutes out of their day to answer some questions over the phone if it’s going to save them money later. Because why would you spend money on creating an awareness campaign or a piece of training that teaches staff something that they’re either already doing quite well, or they can’t achieve because the technology won’t allow them? E.g. feedback might include: ‘I would love to create a complex password but the system doesn’t allow it’, ‘I have so many passwords but there is no standard secure password container’, or ‘I only have shared access to a computer’. Does this sound familiar?
Your company security and acceptable use policies should cover the must do’s, (I’ll return to this topic later) so use this as a basis for your questioning, and talk to the people at the heart of your business and definitely to IT. Your staff will outline the risks/challenges and then you can work on helping them to behave in the most secure way possible by designing your guidance to fit the reality of their situation. You will find that this will act as a driver for; or solidify a case for change to a system or process.
So now that you’ve listened to your staff and created the guidance they need, how do you make sure that they follow it? Is this the point where you bring in the hard-hitting campaign on the consequences of a significant security incident/data breach? Or is it time to bring out the doughnuts and free pens?
The awareness campaign you decide to run should be the end result of your analysis of the situation and the guidance you build to ensure that staff are aware and able to fulfil each request. Staff can’t be expected to report an incident if they don’t know what one looks like, what the process is to report it, or if they are afraid of the perceived consequences of speaking up. All of this needs to be addressed first.
So – back to ‘the leadership’ then? It’s a good idea to make your leaders aware of what you intend to focus on and why – and a little bit of competition here won’t hurt if you’re able to identify that one area of the business for example tends to speak up more than another. But the danger of a leadership cascade that you hope will ‘drive the right behaviours’ may backfire if your guidance simply says ‘Ask your line manager if you’re not sure’ at the end of every sentence.
Staff, for the most part, are taking direction from their line manager, so if we want everyone to do the Right Thing we need to make sure that the line manager is on board, equipped, feels empowered, and doesn’t feel overburdened. So, tap into Internal Communications, HR, or whoever it is in the organisation that has access to the line managers and do whatever you can to make them feel special from the outset and you’ll be in with a good chance of them saying to their staff that we ‘need to take security awareness seriously’ rather than the alternative…
If you’d like to read more about many of the awareness issues that we all face, then please consider subscribing to my blog at Victoria-Guilloit.com/Blog. Upcoming topics include: What makes a really compelling awareness campaign,
Engaging and inspiring different audiences,
How to get the best use of the channels available to you,
What embedded really means; and,
Privacy and Security Awareness? Yes you can…