One of the core tenets of Change Management is that employees need to hear a message between five and seven times in order to really hear it. And hearing a message is the first step to changing behavior. But as the messengers of our security awareness efforts, it’s easy to fall into a rut of sending the same ho-hum email about how to spot phishing attacks over and over. After a while we're left to wonder, "Is this really working?”
The answer is: Probably not. Repeating our security awareness messages is just one way to engage employees and win them over to change their behavior. But having worked with more than 60 law firms to successfully engage employees on the subject of security awareness, I know there are two other elements that are critical to keeping your messaging fresh and engaging for employees.
The first is storytelling rather than simply reciting a checklist of behaviors or only relying on statistics to paint a picture. Storytelling is powerful because it’s human nature to listen to a compelling story. We want to hear the intrigue, we want to know how it all ends. Whether it's scouring news feeds or sharing through peer organizations like ILTA, as the messengers for security awareness we need to have an arsenal of relevant stories at our disposal to share with employees and enthrall them. Stories make it real. But to have the best chance of changing behavior, we also have to make it personal.
The second critical element to keeping your security awareness program fresh is finding a personal hook that engages your employees. We want to believe our employees are rapt any time we talk about keeping our firm data secure. And many are…the first time. And some still are…the third time. But to keep our program interesting and engaging over the long haul, we need to find ways to inject personal relevance into the mix on an ongoing basis.
Should you have any doubts about how significantly a personal hook can change the engagement level and get people's attention, a recent segment on HBO’s This Week Tonight with John Oliver should erase them. Oliver recently interviewed Edward Snowden about the NSA’s data collection program and during the most-definitely-NSFW segment, the host asked a number of average people the question “Who is Edward Snowden?” Most were unable to answer, although some seemed to vaguely recall that he did something that had to do with the government or information or telephones. In an ingenious, but, again definitely NSFW twist, Oliver then asked the same people if they would be okay if the government intercepted their electronic communications – specifically their…personal photos. Immediately the very same people who moments before didn’t voice any concerns about NSA data collection were paying very close attention and were able to very strongly articulate their concerns about such a situation. As a fan of Oliver’s, the segment was highly entertaining. As a change management practitioner working in the field of information security, the segment was an incredibly powerful object lesson: personal engagement is the key to keeping your conversations with employees fresh, engaging, and changing the way they think about information security.
Taking a complex subject like information security and finding a personal hook might seem like a daunting task. But once you set about looking for those hooks, you’ll find them everywhere – sadly. For example, in the case of the recent Anthem breach – at first blush it seems like just another massive data breach…the kind we’ve become a bit numb to…more of the same old, same old. But when you look at the news story with an eye toward finding a way to make it personal for employees, you’ll find a powerful tool for your arsenal: tens of millions of children had their social security numbers stolen in the Anthem breach. The Anthem breach gives us an opportunity to talk to employees about yet another data breach, but now there’s a personal angle that resonates with them: how to help keep your children safe online. Or maybe that’s not the angle that jumped out at you. Maybe the hook you saw in that example was this one: what everyone needs to know when their identity is stolen. That kind of personal appeal is perceived by employees as a value-add for them and it opens the door for you to engage with them on an information security issue that you need them to pay attention to. Employees who understand how the risks and potential impact of poor security practices can affect them personally, as well as professionally, are more likely to move from a reactive to a proactive approach when it comes to information security.
A few other topics that can be effective personal hooks to engage users in conversations about bigger picture information security issues include:
- Tips for avoiding identity theft
- Using technology safely while traveling for vacation – especially when vacationing abroad
- Helping elderly parents or relatives avoid phone scams
- Securing your social media presence…and helping your kids do the same
- How to spot the inevitable email scams that flood our inboxes in the wake of natural disasters, most masquerading as charitable solicitations
- Understanding the security settings on that new device you received over the holidays
Another great way to find personal hooks is to watch a lot of television! Of course, there’s my earlier example of John Oliver’s textbook example of how personal relevance can dramatically increase engagement on a subject, but many popular shows such as The Good Wife and CSI: Cyber are taking “ripped from the headlines” information security stories and turning them into engaging storylines. These professional storytellers regularly give us great examples of how to talk about these issues in ways that engage viewers, and we can take a page from their book and use their work to engage employees as well. And if those employees happen to be fans of that show, so much the better!
Behavioral and cultural changes are the ultimate goals of every security awareness program. Many firms try and “turn the battleship” and look at their efforts as changing everyone’s behavior simultaneously. But looking at individual behavior change as the building block and finding ways to make information security personal for your employees on an individual level is a more powerful and effective way to shift your entire firm from a reactive to a proactive stance in tackling with these issues. Making it personal makes it stick. #LegalSEC #Security #Training