One of our core values at BiZZdesign is sharing knowledge and best practices. That's why we regularly organize and contribute to online and offline seminars, conferences, and round tables. After a presentation entitled "Security is not an IT problem", which illustrated the often lacking connection between policies and measures within organizations, we decided to have a World Cafe to discuss a number of topics surrounding this. The last blog post in the series tackled the question of how to communicate about information security. In this blog post, I will present the outcome of a debate on what really works to build information security awareness? Feel free to share your thoughts in the comment section below.
What’s in it for me?
The interests of an organization as a whole regarding information security are understood by most employees in the organization, but personal interests seem to be more important, or at least more urgent for many. You need to tell people what they have to lose. Reputation, trust, business continuity, money, data, time and focus are only some of the pain points mentioned.
What if this was your company?
Asking someone what they would do if it were their company facing information security problems is a great way to get honest responses. This is a personal question, which helps people to see the bigger challenge, rather than focus on their own tasks at hand.
Security hero of the month
Nobody really has a 'Security Employee of the Month Award' (and the winner is... the person with the most complicated password?), but rewarding good behavior is a simple yet effective mechanism. Praising those that perform well with some simple rewards, and compliments from management can really make a huge difference.
Short, frequent messages rather than one big yearly campaign
People's agendas are busy, and we'll have a lot to present when the new version of our security architecture is released, so we'll just communicate about it then... Does this sound familiar? Well, this is a bad practice. Roadshows, awareness offensives and internet campaigns might look great, but hardly work if you do them once a year. Sharing short messages frequently, rather than long messages rarely, does a much better job of keeping security at the top of people's minds. Keep repeating your vision and repeating what you expect people to do.
Make it real
What happens when we get hacked? A hacking demonstration can shine a light on this question. There's no need to demonstrate the technical part, per se, but the part where we show what the damage is. This way, people really see how hard or easy it is to gain access to information, and understand how important it is to take security measures.
Creating awareness really is a challenge, but with the best practices mentioned in our round table, things might become a little easier.