Use internal communication principles for creative employee awareness campaigns

Learn how CISOs can use internal communication principles to design creative, engaging employee awareness campaigns that drive real behavioural change in cyber security.

Comms campaigns may not be your forte, so take a leaf from the Internal Communication handbook to get your message across

"What we've got here is failure to communicate." - The Captain, "Cool Hand Luke"

This line from Donn Pearce’s Cool Hand Luke - the story of a recalcitrant southern state prisoner and 1967 film starring Paul Newman – addresses a fundamental element of human existence. For without communication, nothing happens, outcomes fall short of their full potential, or, in worst-case scenarios, disaster happens.

The dropping of atomic bombs in World War II may not have happened if Japan’s response to the request to surrender had been translated correctly as: “We withhold comment – pending discussion,” rather than: “We are treating your message with contempt.”

In the workplace, failure to communicate can have significant consequences. An employee survey* looking at work communication in general, found that poor communication leads to:

• Higher stress levels (52%)

• Delay or failure to complete projects (44%)

• Low morale (31%)

• Missed performance goals (25%)

• Lost sales (18%)

When it comes to gaining understanding, acceptance, and action on your information security programme, failing to communicate appropriately and in a differentiated way reduces your chances of success.

Communication campaigns in an InfoSec world

When it comes to your company’s information security, good behaviours are key, and communication is a stepping stone to changing behaviours.

So, how do you go about developing and rolling out an employee awareness campaign?

Where do communication campaigns sit in your world, already overloaded with risk assessment, policies, pen testing, compliance, and the like?

Make it personal

To begin with, you would hope everyone knows cybersecurity is important, but most people don’t fully appreciate the ramifications of not taking the proper precautions – this is your creative starting point, consequences. Throughout your employee awareness plan, weave in stories of how ordinary employees have fallen foul of bad actors and threats and show the consequences. Bring the consequences to life.

This is not a fear tactic. Once people understand how it can affect them, their interest increases along with an openness to seek and listen to more information.

Building your employee awareness campaign

1. Who = audience
   While you are communicating primarily with staff, keep in mind that communication activity can be adapted for other audiences – shareholders, clients, contractors, suppliers, and so on. Across employee groups, some high-risk users need to be addressed specifically. Target them with tailored messages based on the level of risk in their roles. Senior management often needs bespoke messaging. To be creative and effective, don’t forget one size almost certainly does not fit all, differentiation is the key, and the groups will change over time.

2. What = messages
   

   Be specific for each message and paint a detailed picture for your employees to help them understand the gravity of potential risks. Each message should focus on specific areas. Illustrate these with concrete examples (stories) and what the repercussions are at work, and equally important, at home. For example, inform them what cyber attackers are looking for, what techniques they use, but most importantly, how staff can protect themselves (a nice creative touch), highlight the assets under threat, and so on. The point is, don’t bundle everything together.

3. Why = objectives
   

   As a CISO, you are continually attempting to change behaviour and further improve company culture, no matter where you are along the information security maturity curve. These objectives translate directly into your primary communication objectives – simple as that. Keep your eyes on the big prize of effecting behavioural change and leave the creative tactics to your communication experts.

4. When = timing
   

   The larger the organisation, the more that news, surveys, company missives, and a whole host of other communication pieces increasingly deluge employees. But whatever the size of your organisation, to ensure your important employee awareness campaign isn’t lost in the maelstrom of noise, work closely with the internal communication team and plan carefully when your campaign can land and have maximum impact. Which leads nicely to…

5. Where = channels
   

   This is where your creativity can have a real impact. People absorb messages in different ways, so tell your messages through all available relevant channels at the right time. There is no substitute for hearing a consistent message regularly via different formats. There are more than emails - you can use podcasts/blogs, online forums/intranet pages, newsletters, posters, screensavers, lunch-and-learn sessions/town hall meetings, training, Ambassador programmes (see later), and any other available channel.

Top tips to help your employee awareness campaign succeed

Here are some internal communication top-tips and tricks to make sure your employee awareness campaign is a success:

• Powerful analogies

  These have a big audience impact. Connect security at work to security at home. The best analogies concern personal/domestic stories where the audience feels a total connection. Furthermore, if you provide resources or tools that help an employee’s security, you reinforce the message immensely.

• Celebrate success

  When an employee doesn’t take the bait in a phishing email, reports an incident promptly through the right channels, or your team overcomes a ransomware attempt, tell the world. Go big on employee stories and allow employees to share their own. Employee recognition builds a positive climate and drives improved information security attitudes and behaviour.

• Communications calendar

  This helps you carry out the activity regularly. Continually drip feed your content and avoid publishing a deluge of information at any one time. Little and often works.

• Create an Ambassador network

  This is the creative biggie. Get employees to spread the news and - crucially – feed back the ‘word on the street’. Enlist a group of employees from across all business areas, geographic regions, and job levels to be your eyes and ears. These guys aren’t the Information Security Police, but ambassadors who create another communication layer in your programme that encourages further interaction with and among staff.

• Listen

  Employees want to be heard. Go out, ask questions, seek opinions, and gather real-world scenarios. Listen and do something with the information you are given. Employees who feel listened to are more engaged with your messages and feel more connected to your objectives.

• Measure

  Monitor open rates, intranet page activity, attendance at lunch and learns, and so on. At the same time, keep an eye on your information security metrics and monitor upticks in performance linked to communication activity. Surveys are an excellent way to measure attitudes to and understanding of information security. The added benefit is that they can identify links to communication activity, too.

From failure to triumph

In deploying a coordinated information security awareness campaign – one that not only transmits, but also receives – you create an environment in which people feel happy to voice their views. Even better, one where their ideas are taken notice of. In short, they feel valued. This leads directly to the attitudinal and behavioural changes required to maximise information security performance.

With this in place, you will never fail to communicate and, more profoundly, make your company more secure.

If you would like more information about how The Security Company can help your organisation to enable employee behaviour change to improve your security culture or how we can run behavioural research to pinpoint gaps in your security culture, contact us here.