Do your employees understand the value of information? In protecting your organisation’s vital asset, this is by far one of the most important questions to ask yourself. Article 10 Director Keith Ducatel explains why. When we deploy a bespoke information security awareness campaign for a client, our ultimate aim is to build a mindset in which employees come to respect and protect the information they work with. To achieve this, it’s imperative that employees fully understand the value of that information. Failing to understand the value of information is a major cause of information security breaches. For example, it’s the reason why sensitive information ends up in wastepaper baskets or recycling boxes, which subsequently exposes it to ‘dumpster diving’ – the practice of scouring company bins for useful competitor intelligence. Failing to understand the value of information has led to some of the high profile ‘laptop left on a train’ incidents, where employees are walking around with sensitive information on their hard drives that hasn’t been encrypted for transport. Failing to understand the value of information can even cause employees to talk themselves into doing things they’ve already been told is bad practice, such as connecting to an unsecure hotel wi-fi to check email. We’ve all been tempted to do it because of the convenience. What stops us is knowing how valuable the emails coming in and out are – all of which can be intercepted on an unsecure wireless connection. Communicating value The value of information is best communicated through a clear information classification scheme. For example, let’s use the traditional labels of ‘public’, ‘internal’ and ‘confidential’ information. One of the most effective methods of communicating value is to consider all of the information types within your organisation and categorise them under these headings. Turn that into a clear communication that allows employees to see exactly which information types should be considered under which classification. There are also some engaging and fun ways to embed this in your employees’ minds. Make classification mandatory Making classification of all documents mandatory also helps to embed this consideration of value. A classification must be assigned to every new piece of information that employees generate. Similarly, every piece of information they receive must be immediately checked for its classification. If a piece of information is passed on without a classification, then the practice of sending it back to the originator for classification will eventually cause this handling procedure to become second nature. Protecting confidential information: Carrot or stick? For most organisations, accidently or intentionally disclosing confidential information is a disciplinary offence. As long as you state this as part of a campaign that simultaneously instils the value of information, then it can be quite effective. However, bear in mind that the most effective internal communications campaigns succeed by aligning the objectives of the employee with the objectives of the organisation. Therefore, a more effective method is to make the employee see the personal value of protecting information at work. There are many messages that can be used, such as building the employee’s perception of their contribution to organisation success, and the need to protect the integrity of this achievement. You can also communicate how devastating an information breach can be – for example, through lost revenue or a fine from the Information Commissioner’s Office. An information breach could even cause enough lost competitive advantage that an organisation is no longer able to operate at the same size it was. This associates the concept of information security with job security. Very confidential? Incidentally, I’m often asked whether it’s good practice to have different levels of confidential information – for example, confidential and ‘highly confidential’ or ‘very confidential’. From a communications perspective, it’s worth noting that this practice can be detrimental if it isn’t planned and communicated clearly. For example, employees can become confused about why some pieces of information are more confidential than others. There is also a danger of weakening the perceived importance of the lower level of confidentiality. My recommendation is to always be clear about whether the classifications are distribution list-specific (i.e. who can access the information) or handling procedure-specific (i.e. how information must be handled), or a combination of both.
Related Articles -
employees, information security,
|