|
Making your employees care about company data...and the company Job satisfaction in the UK continues to be low according to NatCen, an issue that has always had huge implications for information security professionals. But best practice bespoke employee information security awareness campaigns naturally target morale. In effect, getting employees to care about an organisation’s data by getting them to care more about the organisation itself. Keith Ducatel outlines two strategies. Job satisfaction is now lower in Britain than in most other European countries, with only Portugal, Russia and five ex-Communist countries behind us. That’s the latest word from Britain's premier independent social research agency NatCen, with much of it being blamed on employees feeling pressured into working longer hours for no additional reward. Whilst debate naturally offers many ways to interpret this data, one thing is certain: information security professionals have always recognised that employee job satisfaction has a huge impact on their work. Although I can’t cite any surveys or statistics, it’s widely accepted that demotivated employees are less interested in protecting their employer’s data. They may not proactively set out to cause a data breach, but there’s certainly an increased danger of lax approaches to data handling creeping in, in addition to less inclination to report potential incidents. But that’s just demotivated employees. The situation is greatly exacerbated if the employee actually has a beef with their employer – particularly if they feel injustice at not being rewarded sufficiently for hard work. As a benchmark, you may recall that earlier in the year Ping Identity asked 2,000 UK consumers whether they would reveal their corporate passwords for under a £1. 30% said they would. Ever since the global recession, information security professionals have been forced to pay much greater attention to employee attitudes towards their employer. Where possible they have liaised with HR functions to find relevant stats. Others have carried out their own surveys. It’s worth noting here that some information security professionals have found it hard to make their own senior management place enough emphasis on the crucial relationship between staff morale and information security. The reaction from board rooms has been reported to range from disinterest to strong resistance. This surprises me, because bespoke information security campaigns built specifically for an organisation (rather than rolling out generic ‘dos and don’ts’ training) are a golden opportunity to achieve success on two fronts. Not only can a well-designed and implemented campaign greatly enhance the information security awareness of employees, it can also get employees to care about the employer’s data as if it were their own. Your competitive advantage is their work This leads me neatly on to the first strategy I wish to touch on – eradicating the ‘them and us’ by making employees see that they are the ones driving the corporate data of the organisation. This can often be the fundamental disconnect in employee thinking. They believe that their work is merely an insignificant part of a vast operation. In the words of Chandler from Friends, “If I don't input those numbers... it doesn't make much of a difference.” This is a crucial area that a bespoke information security campaign attempts to address. The message is quite simply this: every employee contributes to competitive advantage. They come to understand that best practice information handling isn’t just about protecting highly secret information used by higher-salaried people in the distant upper echelons of the organisation – it’s about making sure that their own hard work doesn’t get compromised, which really would result in wasted effort. In effect, you build a culture in which every employee sees that their effort is valuable enough to be guarded stringently. Place it in the social media context Another strategy that achieves success is to place company data in a context that most UK employees are now very familiar with: social media. Indeed, using social media as the means to enhance information security awareness allows you to achieve success on three fronts: •First, organisations have the power to address what many commentators cite as being our highly dangerous attitude to social media – too many people sharing too much information. That means making employees fully aware of the dangers of identity theft. •Second, we map the metaphor. Personal data is likened to corporate data. The devastating results of identity theft are likened to the devastating results of corporate espionage, hacktivism, etc. And by understanding how to protect themselves, employees begin to learn how to protect the organisation. •Third, teaching information security awareness through social media also enables you to address the increasingly concerning subject of employee misuse of it, whether using social media to share information that shouldn’t be shared, or using it to sound-off about colleagues or the company itself. If you simply try to push your social media policy as a distinct subject, some employees may feel that you are intruding too far into their personal life. By basing your information security awareness campaign in the context of social media, it becomes relevant territory to be covered. The social media angle is strong for another reason as well – it helps to break down the work-social divide. Too many organisations still give the impression that they only care about their employees during working hours. In cultures such as these, it’s understandable that employees see a strong distinction between being at work and not being at work. I remember hearing one person talk in terms of ‘the work me and the real me’. In contrast, I’ve had the pleasure of working with some extremely progressive organisations in which the culture is one of genuinely caring for employees both inside and outside of office hours. The result is a tendency for employees to see their work as a more integrated part of their lives. Teaching corporate information security awareness by way of teaching personal information security awareness gives them valuable knowledge that can be used to protect themselves and their family. Get the voice right These are just two strategic options for employee information security awareness campaigns that can achieve strong success in the field. There are many others of course. However, the most important consideration is the way in which these and other strategies are planned and communicated. Obviously, bear in mind this is about employee information security awareness campaigns that contribute to increased morale, not morale-boosting exercises that also teach information security. However, more important is to know your employees and make sure you use a voice they will respond to. That may sound like a platitude, but I still come across internal communications campaigns that have been built on perceptions of employee mindset rather than a carefully analysed (and often humble) understanding. You have a unique business and, as such, a unique staff. Respect them enough to use a unique voice.
Related Articles -
ingfo security. cyber security, social media,
| 
