Industry News
IOIC
Search

Bernadette Palmer, head of communications at The Security Company (International) Limited, discusses how to engage employees with information security issues.


When you mention information security, most employees will glaze over and switch off. Security is seen as an obstacle, something negative that needs to be ‘got around’. As a result, engagement is low. If you ask employees if they read or refer to security policies on a regular basis, then the honest answer would be even lower.

Whether you realise it or not, security is an integral part of our lives, particularly now when we do so much online.

I use the analogy ‘same view, different window’ to describe our relationship with sensitive information. It’s always about protecting that information. Whether it is your own or the company’s; the principles are the same.

At The Security Company (International) Ltd we aim to bring security into the limelight, creating and delivering security awareness and education programmes. The aim of these programmes is to change the inadvertent security behaviour of employees which can result in incidents.

We lead employees from ‘unconscious incompetence to unconscious competence’ where security becomes part of the culture of the ‘way we do things around here’. Empowering employees to become alert to the risks and report anything suspicious immediately.

While companies don’t expect employees to become security experts, they do want them to respond quickly by reporting any actual or suspected incidents.


The boundaries between home and work are blurring


One area employees do care about is security in their personal lives, whether this is keeping their children safe online or being security-savvy in the online world. This is a useful hook in getting their attention and then linking this to the work environment. People’s self-interest is turned on and they are usually very keen to find out more.

This is becoming easier as the boundaries between home and work are starting to disappear; our doctrine is to be security conscious wherever you are.

Advances in technology have also introduced new threats with many people using their own devices for work; the challenge for companies is to keep track of where their data is.


Beware of emails bearing gifts


Scams such as phishing emails are increasingly common where criminals try to trick victims into handing over valuable information such as logins or passwords, names, credit card, any information that could be used to commit fraud.

This involves sending authentic-looking fake emails that often claim to be from a trustworthy individual, or organisation, like a bank or tax authorities. They will try to convince victims into clicking on a link that takes them through to a fake website, which also looks convincingly like the real thing.

Here they will ask for ‘confirmation’ of your security details or prompt you to enter personal information. As requested, you type in your details, thinking it is secure, and that is it – you have handed your information to a fraudster.

I’m always amazed at how much information we share online about ourselves. Some information could be useful to social engineers, who use deceitful manipulation techniques on people in order to gain access to information and commit fraud such as identity theft.


Why security is important


In my experience this is the fundamental missing link in many security communications. Employees just want to understand why the security controls are in place. Once they get this, they want to know how they can demonstrate secure behaviour. These are the key elements of good communications.

Once we have the employee’s attention, we highlight the similarities between keeping information safe at home and at work.


Welcome to the world of communications


Primarily, we’re a communications company, not security specialists, so our skillset is based around communications but our focus is on security. We work very hard to gain the trust of the internal communications (IC) teams within the companies we work for; their support is vital to the successful delivery of our programmes. They are sometimes, understandably, suspicious of our role so we organise an early get together to discuss who we are; what we do and the support we need from them.

It’s not unusual either to uncover a rather strained relationship between security and the IC team. The security team want reactive communications to occur immediately when a security risk is discovered and are often frustrated by what they see as a lack of support from IC.

I’ve worked in both security awareness and internal communications so I have a good understanding of the mind-set of each. We act as the link between the two areas. We educate the security teams so they understand that setting up a communications plan, which is agreed with IC, is far more beneficial in facilitating behavioural change than ad-hoc communications. We also help to demystify security by making it relevant to each target audience within a company.


Creativity is key


Creativity is key in getting the attention of employees and we use a variety of techniques, such as humorous animations, comic strips and infographics. We’ve even used a comedian as part of an identity theft roadshow. We’ve also set up a ‘messy desk’ and held ‘spot the risks’ competitions to get employees more engaged with security.

But we make sure we use the channels suggested by our internal communications colleagues as they know their audiences best.


A rose by any other name


Our aim is to make security interesting and relevant and we have learned that context is extremely important when looking to engage employees – “what do I need to know to do my job securely?” We often change content and focus on the word protection rather than security and employees then see the connection.

I am passionate about communications in the security context because it’s not easy to make something that is perceived as ‘dull’, interesting. Every day is a challenge!

The Security Company is a leading provider of creative employee security awareness programmes
Our Sponsors

Room Booking

Thanks for staying with us! Please fill out the form below and our staff will be in contact with your shortly. The see all of our room options please visit the link below.
See All Rooms
Member Login
Search