Despite my purposefully attention-grabbing headline, the truth is that in today’s environment of information overload, there’s no real easy way to promote a security-conscious culture in the workplace.
What I am seeing though is many organizations sidestepping this problem by reinventing their internal communications approach.
‘Out’ are formal, one-way, heavy text-based communications. ‘In’ are interactive, visual, multi-media formats delivered via unmissable formats that demand attention.
So if you’re tasked with communicating cybercrime prevention, follow these three easy(ish) steps to engage with staff and get your information security culture humming.
1) Mix it up
One of the biggest trends in internal communications, and specifically security training, is burst learning: short, snappy communications that are quick to consume, and build momentum.
That means the ‘all-staff broadcast email’ no longer makes the grade.
And it certainly doesn’t appeal to millennial leaners who now constitute the largest workforce demographic. They’ve grown up with an infinite amount of information available at a single swipe, and dismiss perceived irrelevant messages in a nano-second.
Not surprising then that the findings of a scientific study last year showed attention spans have deteriorated from 12 seconds to 8 since the arrival of the mobile phone.
Remember ‘different strokes for different folk’ when designing your security comms,. What works for some people in message cut-through might not for others. Security experts agree that the more you can customise your content to suit your audience, the greater impact it will have.
So mix up the format. Think imagery, cartoons, desktop pop up alerts, ‘what-would-YOU-do’ scenarios, screensavers, gamification and video. Find interesting ways for your message to be re-spun, to suit different audiences, and boost staff engagement.
2) Create high-intensity, solus campaigns
To really drive a message home, devise high intensity, high impact campaigns that focus on a single security topic.
By treating each topic individually puts it front and centre for staff, triggering conversations and sharing of stories – the best way of all to promote any culture.
Let’s take the topic of password protection, something we can all relate to.
If yours is a pets name or Password1 - change it now.
Create a bundle of messages around the importance of password protection, and release them over a short period. Back it up with classroom training, if available.
Use real life stories and facts to drive home the message. For example, did you know 39% of passwords are eight characters long, and typically only take a day to crack? Whereas a 10-character password takes an estimated 591 days to crack!
Many of our customers launch their internal comms campaigns with a series of teaser messages direct to employees’ screens. These are delivered via desktop pop-up alerts and scrolling messages, across virtually any device.
Then, for sustained message relay, more passive tools such as corporate screensavers, which double up as mini digital billboards around the office, and desktop digital wallpaper reinforce key communication points, albeit in the background.
Interactive tools such as quizzes and surveys, repurposed for gamification, provide an even deeper level of engagement.
3) Meaningful measurement
How do you know if your staff really understand the issues surrounding information confidentiality, password protection, and remote access?
Can they quickly spot the tell-tale signs of social media engineering or a phishing scam (fraudulent email)?
Knowing how staff are tracking on security awareness levels gives useful insight into identifying who is yet to read, download or respond to training.
Targeting the yet-to-comply staff becomes easy, as does republishing and repeat messages. You can continue to pester those who’ve not yet committed to learning, and by default, coerce your staff into better security-conscious behaviour.
The other side of the coin is you can provide evidence to the powers-that-be on the effect of your hard work.
This is especially relevant if you have KPIs for security training: Employee validation, or in other words, proof that an employee has completed and understood their training, provides an accurate picture of how your programs are tracking. Their level of understanding can be assessed, and any knowledge gaps can be identified and closed.
In summary, big bucks (in fact $170 billion in 2015) are spent on putting technical controls in place, such as sophisticated firewalls and anti-threat detection.
But I believe the most powerful weapon against cybercrime is your staff.
To adopt a security culture within your organization takes time, tenacity, a tap of creative messages and a way to measure it.
Download our whitepaper on “How to create a security culture” here.