This blog was co-written by Joanna Huismann and Aimee Laycock. Communication is not always easy (let’s be honest, we have all wanted to scream with frustration at our partner or a family member at some point or other). In business, we often hear about the need for effective and efficient communication. But when it comes to the goal of changing security behaviors, what does that actually mean? And, how can it be achieved?Scientists have found that the effectiveness of communicative processes plays a vital role in the prevention of security breaches and the affected organization's response to them. Frequent, collaborative and knowledge-rich communication, within and between departments, is important both for security prevention and response strategies to achieve desired outcomes (Arhin & Wiredu, 2018).
Here are some ways to ensure your security message is heard and remembered based on research by CLTRe, a KnowBe4 company, into communication and security culture:
- Keep members informed. Share what steps are being taken, why they’re important, and what impact they will have, both on the business as a whole and on them individually.
- Ensure that communication flows in both directions. Listen to their concerns, find out what is important to them and why.
- Keep it relevant. Consider the target audience for your security communication. All employees do not need to receive all communications. Determine what level should be on the receiving end as to not dilute the effectiveness or interest.
- Keep it short and sweet. Your message should be concise and easily consumable by your audience. Thanks to social media, humans have become conditioned to receiving information in small bite-sized chunks so make sure that your message is appetizer-like, not an entrée.
- Up the frequency. Repeated messages are the ones most often remembered. If you are communicating quarterly, bi-annually or the dreaded… annually… it’s just not enough. Your message will be forgotten and ineffective. A good practice is to communicate weekly, and then reinforce those communications through follow-ups in the form of group discussions, 1:1’s, etc.
- Vary the channels. Consider how you cascade awareness messages. Is there a consistent process, tool or medium in place that encourages not only delivery of a message, but that offers a way of creating a two-way dialogue? If not, look for a way to enable this very necessary exchange. Your audience may have critical input and no way to provide it.
- Encourage inter-departmental input. Where frequent communication is encouraged, employees who naturally would not communicate with others are presented with the opportunity to do so. Information security is an inter-departmental effort rather than an IT-department- only effort, and inter-departmental collaboration requires a good communication culture. Enable a way to communicate between departments and collaborate on outcomes.
The research conducted over the past 4 years by CLTRe includes studies into communication, which consistently highlight the importance of communication quality and frequency. Communicating the same message frequently, in unique ways, using repetition and creativity are the best ways to help ensure the message is heard and remembered. With new-school security awareness training, you can implement effective communication to your users and automate the delivery of frequent, short videos, quizzes, games or other types of engaging training content to targeted groups to keep your message fresh and top-of-mind.
In general, when explaining why certain security measures are important, we strongly recommend to also communicate why the measures are important for them. For example, explain how the measure will affect that employee’s work, how will they benefit, and what impact it will have on them.
If addressing these points seems like an overwhelmingly large task, consider building a network of security champions or security ambassadors. Having a network of security ambassadors across different business areas can be very helpful to (a) help get the message out, and (b) have ears and eyes on the ground. For this network to be effective, though, be prepared to invest time and effort to encourage, support, and listen to your security ambassadors.
Attitudes towards security measures are more likely to be positive if members understand the necessity of the various steps that are made to secure the organization and its assets. Enlisting the help of security champions or security ambassadors can help ensure that the message is communicated using language that resonates with your target audience. New-school security awareness training can help everyone in your organization become a security ambassador for your company.