Getting Your Team To Practice Safe Technology
In this final part of our series on creating a security-minded culture, we sample expert advice on the best ways to go about it.As the pace of technology innovation speeds up the future is less predictable than ever. That is having a devastating impact on cyber security. Security technology innovation—from context aware behavior analytics to virtual dispersive networks—is of course also progressing at a remarkable pace, but so are the skills of cyber criminals.
Aware that the technologies are putting up further obstacles to their success, cyber criminals are concentrating increasingly on looking for the weak human link: people who use the same passwords over and over; recipients who click on the embedded links in phishing emails; the users of public Wi-Fi networks where their unprotected communications can be intercepted. What Does Secure Wi-Fi Look Like In 2017?
That is making the job of IT security even harder so smart IT security teams are looking increasingly to their colleagues for help rather than just telling them what to do.
When attempting to convince others in the organization of the importance of adopting a particular security approach, emphasis should be on the business impact and on placing things in a business context when helping individuals to understand why a concern exists, says John P. Pironti, president and cofounder of information risk and IT security advisory IP Architects. And he advises formally publishing security expectations so that they do not come over as some sort of arbitrary requirement from an individual.
Eric Vanderburg, director of information systems and security at technology advisory Jurinnov recommends involving employees in making security decisions as a way of getting them to commit themselves more fully. And fostering an open environment where people are free to ask questions without consequences, is required if you are to successfully create a security-oriented organizational culture, he says.
Storytelling is an approach that Edward Starkie, cyber security specialist at professional services company PricewaterhouseCoopers, puts forward.
Be creative and take the time to understand your colleagues’ interests, he says. Use examples from your own organization, be transparent and honest but above all frame stories in such a way that people understand. The board may for instance appreciate figures portraying the overall financial cost of an incident, but colleagues on the factory floor may be better engaged by a description of costs expressed as a week’s worth of factory output.
And use a variety of formats to communicate your messages, says internal communications technology company Snapcomms.
Use imagery, cartoons, desktop pop up alerts, “what-would-YOU-do” scenarios, screensavers, gamification and video. Find interesting ways for your message to be respun, to suit different audiences, and boost staff engagement, it says. And focus on one topic at a time. By making a single topic center of attention, you are more likely to trigger conversations and sharing of stories—the best way to promote any culture, says Snapcomms. The company offers the following example of a password protection campaign.
Create a bundle of messages around the importance of password protection, and release them over a short period. Back it up with classroom training, if available.
Use real life stories and facts to drive home the message. For example, did you know 39 percent of passwords are eight characters long, and typically only take a day to crack? Whereas a 10-character password takes an estimated 591 days to crack.
You could start with a series of teaser messages direct to employees’ screens. These are delivered via desktop pop-up alerts and scrolling messages, across virtually any device.
Then, for sustained message relay, more passive tools such as corporate screensavers, which double up as mini digital billboards around the office, and desktop digital wallpaper could be used to reinforce key communication points.
And interactive tools such as quizzes and surveys, repurposed for gamification, could provide an even deeper level of engagement.
There are no guaranteed paths to success in IT security but past approaches, which relied heavily on sowing fear and proscribing and prescribing behaviors, are becoming less credible with every new headline about cyber crime.
The future of IT security looks like it will be just as much about culture as algorithms, and getting colleagues to help each other practice “safe technology.”