The importance of information security is becoming increasingly important due to the growing risk of threats that can result in catastrophic losses to organizations in the form of loss of intellectual property, disclosure of secrets, or disruption of vital services. As part of the response to such threats, a number of standards have been introduced that are related to information security, some of them are ISO 27001, NIST CSF. The nature of these standards requires the creation of security policies, processes and rules that must be followed in addition to being created. It is following the rules that turns out to be one of the biggest problems in organizations. In this article, we offer you 5 effective ways to increase employee commitment to your organization’s information security policies and rules.
How to achieve high engagement in information security?
In order to have more engaged employees we need to show employees that these are not just another pro forma policies that have been created by coercion, but a living organism that is as important to the organization as the accomplishment of goals, respectively the fulfillment of their duties. This is where the big challenge lies. On the one hand, senior management often does not sufficiently appreciate the need to focus on information security as well, which hinders the subsequent focus by the entire company. Since information security is complex and the entire company needs to be involved, we are talking about creating a culture of information security in the organization. If you don’t have one in place yet, or if you do but your employees aren’t engaged with it, here are 5 tips to increase engagement.
1. Simple and understandable information security rules
It is known that even if we have written policies, procedures and instructions, they are often not understandable for some employees or are difficult to follow, which creates conditions for circumventing them. In these cases, messages and campaigns related to the following behaviours could help a lot:
- Think before you click
- Think before you send
- Be honest and responsible online
- Keep information and devices secure online
- Report anything suspicious
The behaviours listed above on the one hand cover a large part of all involved policies and processes in information security and on the other hand are easy to remember. All this wrapped up in an engaging campaign will yield high results.
2. Development of leaders
Having managers responsible for information security in the organisation is not enough. In addition to being managers, they must also be leaders that people respect and follow, whose technical expertise people trust. These leaders would have very good interpersonal communication skills and relationships to support this understanding of the processes and people’s engagement with them.
3. Information Security Champions
Information Security Champions are employees with an interest in security who help promote and embrace security messages at the team level. They don’t have to be information security professionals, quite the opposite, they are often employees who can easily adapt and translate a message into accessible and understandable language so that it can be easily understood and implemented in the context of a specific team and project.
4. Publicly accessible information hub concerning information security
A place to post all policies, procedures and instructions so that they are in one place that is easily accessible by all employees. A blog or forum could be formed where all information security news, known breaches, newly discovered vulnerabilities and new developments could be published and disseminated. This way, employees will have a single point of contact where they can find everything they need or simply comment on information security topics. It can also be part of the internal communiity system.
5. Campaigns supporting awareness and information security
Such campaigns could be periodic training on existing cyber threats and how to protect against them. Information campaigns on the latest threats, vulnerabilities and best practices. Simulations of fraud, phishing attacks and security breaches to aid real-world recognition and provoke proactive behaviour from employees.
If you have any questions, we will be happy to help. Contact us