Data security is top-of-mind for organizations of all sizes. It’s a concern that isn’t likely to subside any time in the near future. In fact, concerns have actually heightened — morphing and evolving — as millions of employees are now working from home. This has the potential to make organizational data even more prone to data breach than before. Crafting and implementing an effective security awareness campaign can help.
Not a one-size-fits-all endeavor
Foundationally, one of the most important things that IT and security management professionals need to understand about communicating with employees is that it’s not a one-size-fits-all approach. It’s not the kind of process where you create a brochure, send it out to all employees, and expect that the messages will stick. They won’t.
A transformational communication program will move beyond one-size-fits-all messaging and approaches. It will seek to use the right strategy to target the right people, at the right time, in the right context. Not a simple task.
Here we take a look at four critical elements of effective security awareness campaigns.
1) Carefully think through your target groups
Just because there’s no one-size-fits-all approach doesn’t mean that traditional roles or demographic segmentation is the answer. Did you know that you can – and should – also consider segmenting based on behavioral outcomes? For example, every organization has people who range from naturally doing the right thing, to people who intentionally think about what they’re doing, to people who are just unaware and negligent.
Each group requires a different approach and different messaging. If you have a group of people who are always doing the right thing related to a specific behavior, you may not need to train them on that behavior, or you should consider presenting them with a modified training. You can give them back some time or find new ways to make the training relevant for them.
Understand as much as you can about your stakeholders, what they value, and what their concerns are.
2) Be intentional with recognition and reward
It’s hard to overstate the importance of recognition and reward for changing and sustaining behavior. Recognition and reward are psychological keys to helping form bonds between people—or groups. They are a psychological trigger for creating habits—positive habits—which is precisely what we want to do.
Variable—or intermittent—reward systems are best. Think about the gambling industry which rewards individuals not on a predictable basis, but variably. That variability causes people who gamble to be “hooked” and to continue trying to win because they can’t predict when the next payout will be.
The same holds true when it comes to rewarding employee behavior. Use the power of variable reward systems so people don’t know when the next reward is coming but have faith that the reward will come if they continue to do the right thing.
Another important driver of desired behavior—peer support. Consider implementing a system where employees can report each other for “doing the right thing.”
3) Assemble culture carriers
Your culture carriers are the influencers in your organization who you can engage to help drive your security awareness efforts. They can play an important role in helping you increase your reach and influence. Identifying them, engaging them and reinforcing their commitment can yield big benefits.
What do they do? That depends. They can literally do anything that you and your organization believes will be valuable to the program. This might be informal—a “street team” of evangelists to spread the word about security best practices. Or they might be very formal—tasked with finding and closing specific security vulnerabilities, for instance. Just as in the marketing world, these culture carriers—or “brand ambassadors”—can help you maximize the reach of your message and the impact of your influence.
4) Measure your success
We can’t manage what we can’t measure the old saying goes, and that’s certainly true. Here, it’s not so important what you measure. What matters most is finding something that will provide you with valuable insight about the strategies of your program.
For instance, if you have a strategy around increasing contact/engagement time with your employees, some of the things you might measure include:
Web-based newsletter views
Reported security incidents
Establish a baseline, implement your tactics, and continually measure how the metrics you’ve chosen shift over time.
But don’t be exclusively focused on the numbers. Numbers matter, but stories move. Don’t discount the power of stories and anecdotes. Collect value statements from employees and other stakeholders about how the program is impacting and influencing them, how it has changed their perspectives, how it’s improved their work life, etc.
Work to become a master storyteller about the value of security awareness in your organization. There is no one-size-fits-all measurement strategy. The main thing to consider is that you can, and should, find something that provides valuable insight about each large strategy item in your program.
Finally, remain nimble and ready to adapt. A transformational security awareness program is adaptive and anticipatory, always seeking ways to meet your people where they are with the security-related information and interventions that they need.