Why employees avoid reading policies and how you can change this?

At TSC, we understand that the cyber security stakes for organisations of all sizes are high and the consequences of lapses in security can be severe. Having robust policies in place is not just a preference but a necessity.

A pressing challenge many organisations face is ensuring that these crucial policies are not just implemented but also understood and adhered to by employees.

In this article, we will delve into the importance of cyber security policies and explore why employees often avoid reading them. More importantly, we will provide actionable insights on how organisations can bridge this knowledge gap.

Why are cyber security policies important in the workplace?

Cyber security policies serve as the backbone of a secure and resilient organisation. Let us explore the multifaceted importance of these policies in more detail:

• Establishing consistency in processes and structures: One of the foundational pillars of cyber security policies is their ability to create consistency in the workplace. They provide a structured framework for employees to follow, ensuring that cyber security measures are consistently applied across all departments and functions. This consistency is instrumental in safeguarding an organisation against vulnerabilities, as any weak link can potentially compromise the entire system.
• Fostering a safer work environment: Another goal of cyber security policies is to create a safer work environment. These policies act as a shield against the ever-looming threats of cyberattacks, data breaches, and information theft. By following well-defined policies, employees become better equipped to identify and mitigate security risks, reducing the likelihood of security incidents that could lead to data loss, reputational damage, or financial losses.
• Setting a firm standard for behaviour and practices: Cyber security policies serve as a compass, guiding employees toward acceptable behaviour and best practices within the organisation. They delineate what actions are permitted and what is prohibited, setting a clear standard for responsible cyber security conduct. This clarity is invaluable in shaping a corporate culture where security is a shared responsibility and not solely the domain of the IT department.
• Ensuring compliance with legal mandates: Cyber security regulations and data protection laws are complex and wanton to change; non-compliance can result in severe legal consequences. Cyber security policies act as a critical shield against legal liabilities. By adhering to these policies, organisations can ensure that they are consistently in line with legal mandates. This not only helps in avoiding penalties but also fosters trust with stakeholders, who seek assurance that their sensitive data is handled responsibly and ethically.
• Enhancing preparedness and incident response: Beyond these core benefits, cyber security policies also play a pivotal role in enhancing an organisation's preparedness for potential security incidents. They establish clear guidelines on how to respond in the event of a breach, thereby minimising chaos and confusion when faced with a crisis. This preparedness can be the difference between swift recovery and prolonged downtime.
• Boosting employee confidence: When employees are aware that their organisation has robust cyber security policies in place, it instils a sense of confidence in the workplace. Employees can focus on their tasks without constant worry about cyber threats, knowing that the organisation is proactively managing security risks. This peace of mind can significantly improve morale and productivity. PowerDMS argues that “employees who receive formal onboarding training are more productive, gain full proficiency faster, and are more likely to hit their performance milestones.”
• Building a reputation for trustworthiness: In an age where trust is paramount, adhering to cyber security policies also contributes to an organisation's reputation for trustworthiness. Clients, partners, and customers are more likely to engage with an organisation that demonstrates a strong commitment to safeguarding their data. A reputation for cyber security excellence can be a key differentiator in a competitive marketplace.

Cyber security policies are the linchpin of a secure, efficient, and legally compliant workplace. They establish consistency, bolster security, set the standard for responsible conduct, and shield organisations from the legal repercussions of non-compliance. Beyond these fundamental roles, they also enhance preparedness, boost employee confidence, and build trust among stakeholders. Embracing these policies is a necessity for every organisation.

12 reasons employees avoid reading policies

Ensuring that employees actively engage with and comprehend cyber security policies can be an uphill battle. A multitude of factors contributes to why employees often avoid policies. Let us explore these factors in greater depth:

• Lack of awareness or policies not being shared: In many organisations, employees may simply be unaware of the existence of cyber security policies. Whether due to a lack of effective communication or policies not being readily accessible, employees cannot be expected to read what they do not know exists. A GuideSpark survey reveals that 43% of millennial employees and 30% of non-millennial employees had not read their employee policy handbook. In fact, more than 33% of employees did not even know where their physical policy handbooks were located.
• Time constraints and inefficient workflow: In our fast-paced working environments, time is a precious commodity. Employees frequently perceive reading lengthy policy documents as a time-consuming task that may disrupt their workflow. The perception of inefficiency in their work processes can lead to policy neglect.
• Overwhelming information overload: Organisations often make the mistake of inundating employees with a constant influx of information. Amidst emails, notifications, and the relentless barrage of data, cyber security policies may easily become lost in the sea of content. The resulting information overload can lead to employees pushing these policies to the backburner. Studies by The MacKinsey Global Institute and the Information Overload Research Institute have previously written about how the average worker is inundated with email management, making it difficult to juggle and prioritise tasks.
• Poor choice of communication channels: The effectiveness of policies is often hampered by the choice of communication channels. Sending policies via email, for example, might not be the most efficient means of distribution, as they can be lost amidst the clutter of an overflowing inbox.
• Timing and overwhelming workloads: The timing of policy communication is critical. Releasing new policies during periods of high workloads or stress can result in employees glossing over them. Workplace stressors can make it challenging for employees to allocate attention to additional reading.
• Diverse employee personality types: Not all employees are cut from the same cloth. Some may be naturally inclined to follow rules and absorb policy information diligently, while others may have a more rebellious or dismissive attitude towards policy adherence.
• Accessibility barriers: Accessibility issues can also pose a significant hurdle. In a world of remote and mobile work, policies may not be easily accessible to all employees. Technical limitations or cumbersome access procedures can deter engagement.
• Incorrect employee assumptions and perception of irrelevance: A prevalent assumption is that cyber security is exclusively the domain of the IT department. This misconception can lead employees to think that they bear no personal responsibility for safeguarding the organisation, contributing to policy neglect. Furthermore, employees may perceive cyber security policies as irrelevant to their specific job roles. This can result from a lack of understanding regarding how these policies relate to their daily tasks, leading to indifference.
• Digital screen and email fatigue: After spending a full day working on digital screens and processing emails, many employees may resist the idea of spending more time staring at screens to read policies. In fact, according to a Wakefield Research survey conducted in April 2021, email fatigue leads to around 38% of employees quitting their jobs. This digital screen and email fatigue can make engaging with policies less appealing.
• Lack of priority or workplace norm: If cyber security is not emphasised as a top priority or workplace norm, employees may not see the importance of these policies. A culture that does not prioritise security may inadvertently encourage policy neglect.
• Complexity and jargon: Some policies may be laden with complex technical jargon that is hard for the average employee to decipher. The fear of not comprehending the content can discourage employees from trying to read the policies.
• Half of remote workers do not care: Remote work also pose cause for concern; this survey found 52% of remote employees felt they could get away with unsafe conduct. For example, they would send confidential information through unsecured messaging platforms or use unsafe websites and extensions.

A myriad of factors contribute to why employees often avoid reading cyber security policies. To address this challenge effectively, organisations must recognise and tackle these barriers head-on.

How can organisations encourage employees to engage with policies?

To bridge the gap between the creation of cyber security policies and their effective implementation, organisations need to employ a comprehensive approach.

Here are several strategies that organisations can adopt to ensure that cyber security policies are not only read but also internalised and adhered to:

• Improve accessibility: Make cyber security policies readily accessible to employees. Establish a dedicated and easily navigable portal or intranet where policies are stored. Ensure that employees can access these documents swiftly, whether they are in the office, working remotely, or using mobile devices. Additionally, consider providing printed copies for employees who prefer hard copies.
• Include in induction training: An effective way to instil the importance of cyber security policies is to introduce them during the onboarding process. New employees should be educated about these policies from the very beginning of their employment journey. This not only helps in raising awareness but also sets the expectation of policy adherence from day one. TSC encourages our partners and clients to run ‘5 Golden Rules & Security Induction’ training for their employees.
• Integrate into regular training: Do not limit policy dissemination to onboarding alone. Include cyber security policies in regular training sessions or workshops. These should not be isolated events but a recurring part of employees' development. Periodic reminders help reinforce the importance of these policies and keep employees informed about evolving threats and best practices; you can encourage this using digital and physical awareness materials.
• Test employee policy comprehension with regular audits: Organisations should regularly assess employees' understanding of cyber security policies. Conducting periodic audits or quizzes to evaluate comprehension can identify areas where employees may need further education or clarification. This not only ensures that employees read the policies but also guarantees that they understand and can apply them effectively.
• Encourage accountability: Create a culture of accountability where employees feel personally responsible for cyber security. Encourage employees to take ownership of their role in protecting the organisation. Reward compliance and address non-compliance promptly and constructively. Fostering a sense of collective responsibility enhances policy adherence.
• Regularly review and refresh policies: The landscape of cyber security is in constant flux, with new threats emerging regularly. 69% of senior executives are not confident that their current policies will be enough to meet future needs. Policies that remain static quickly become obsolete. Regularly review and refresh your policies to ensure they reflect current threats, best practices, and the evolving needs of the organisation. By keeping policies up-to-date, employees are more likely to see their relevance and stay engaged with them. In fact, compliance and regulation experts recommend a yearly review of policies.
• Streamline policy language: Ensure that policy documents are clear, concise, and free of unnecessary technical jargon. Complex language can deter employees from reading or comprehending policies. Policies should be written in a way that the average employee can understand, making it more likely that they will engage with and internalise the content.
• Use real-life scenarios and case studies: To make policies more relatable, incorporate real-life cyber security scenarios and case studies into training materials. Employees are more likely to engage with content that demonstrates the practical implications of policy adherence and breaches.
• Promote open communication channels: Establish open communication channels where employees can ask questions, seek clarifications, and report potential security concerns without fear of reprisal. Creating a safe environment for discussing cyber security matters encourages employees to actively participate in the organisation's security efforts. Consider the use of diverse communication channels to capture the differing generations in the workforce. For example, SayHey Messenger, younger corners of the workforce will connect far more with consistent instant messages rather than traditional messaging.
• Recognise and reward compliance: Implement a system for recognising and rewarding employees who consistently demonstrate good cyber security practices. This can include incentives, certificates, or acknowledgments in company communications. Positive reinforcement can go a long way in motivating employees to engage with policies.

Effective implementation of cyber security policies requires a multifaceted approach that includes accessibility, education, accountability, regular evaluation, policy refinement, language simplification, relatability, open communication, and positive reinforcement. By employing these strategies, organisations can create a workplace culture that places a premium on cyber security awareness and policy adherence, strengthening their defence against cyber threats.

Conclusion

Cyber security policies are the backbone of a secure organisation. However, for them to be truly effective, it is crucial that employees not only read them but also understand and adhere to them.

By addressing the reasons employees avoid reading policies and implementing strategies to change this, organisations can ensure a safer, more resilient cyber environment.

If you would like information about how The Security Company can help you to formulate a cyber security training and awareness program for your organisation or if you would like a demo of our products and services ... please contact us here.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.