It seems like an innocuous email, with a professional tone, a recognizable logo, and a simple request – verify a username and password.
Unfortunately, it’s anything but harmless. It’s a typical phishing scam and according to the recently published Verizon 2015 Data Breach Investigations Report, 23% of the recipients of emails like these read them. A whopping 11% open attachments. On average, it takes just over a minute – 82 seconds – for the first person to click on a phishing email, thus initiating a data breach that can have serious consequences for any organization.
Forrester predicts that 60% of enterprises will experience a data breach in 2015, with the worst and most-publicized examples destroying years of brand value. According to a 2014 Cost of Data Breach Study by the Ponemon Institute, the organization cost associated with a data breach has increased from $5.4 to $5.9 million per breach over the last two years.
Verizon’s study notes that half of the individuals who open attachments and click links do so less than an hour after they receive them – making it nearly impossible for an organization to detect the issue and react before damage is done.
Therefore, it is vital to ensure that employees are aware of – and know how to deal – with these threats before they happen.
Proactively communicating with employees about cybersecurity and data privacy can transform employees from being a huge risk to acting as the first line of defense for an organization’s reputation.
Here are 5 communication tips to create aware, engaged and active employees who can act as guardians for your organization’s cyber security and data privacy.
- Communicate early and often to all targeted audiences.
Include messaging on security topics in the onboarding process, and ensure that employees, managers and leaders continue to be exposed to this information throughout their careers. While a Cyber Security Awareness Week is a great way to focus on the topic, communication should also be included and integrated into multiple communications vehicles from 5-minute managers’ meetings to company-wide town halls. Frequent and consistent reminders can be very effective in reinforcing the need to be diligent and follow proper protocols.
- Keep it simple.
In a 2013 report by Tripwire on the State of Risk-Based Security Management, it was found that 61% of IT professionals felt that the information communicated was “too technical to be understood by non-technical management.” The idea of protecting your company’s information does not need to be complicated. Keep messages simple and specific, boiled down to basics. Include not only the risk, but the exact action to take. Provide helpful guidance on what to do and when and how to do it in specific work environments. Include easy non-technical tips as well, like shredding documents regularly, remembering to take all copies from the printer and not talking about clients, products or confidential information in the airport security line.
- Give examples but don't use scare tactics.
Fear has been shown to be an ineffective approach in convincing people to take action. More compelling messages provide ways to empower people. Whether you are implementing a cybersecurity plan or simply providing updates, give real, everyday examples of how to secure data and systems. Highlight ways to prepare, accentuating proactive versus reactive behaviors. Emphasize the small steps that can make a huge difference, so people don’t feel that cyber security is too large an issue for one person to impact. Rather than flooding employees with the hype surrounding IT horror stories, show them how to identify and thwart would-be hackers.
- Train with a hands-on approach.
Many organizations create very detailed security contingency plans, but fail to enable and equip employees to follow protocol and to recognize common cyber threats. The Data Breach Study estimated that nearly a third of data breaches in 2013 stemmed from employee negligence.
Implementing new hire training and regularly scheduled refresher programs for employees are good tools to start with. However, rote memorization, click-through presentations and quizzes may not be effective enough on their own. Learning sticks best when it’s meaningful – when it connects to other knowledge – and when it’s active – when employees can take control over how they learn. Give employees something to do, like a What’s Wrong with this Email? game or provide scenarios taken directly from your company’s experience that managers can use as fodder for discussion during team meetings. Immersive, regular and engaging experiences can bring new behaviors into daily work life and continue to reinforce them.
- Put your money where your mouth is
The most comprehensive communication strategy with the most creative messaging and the most interactive and engaging learning only goes so far. To ensure that employees understand the critical nature of cyber security and data privacy, include these areas in their performance reviews. The underlying message is crystal clear: cyber security and data privacy are everyone’s jobs. Reward employees who turn in phishing emails, proactively change passwords or identify potential security issues. Then share those stories as examples for others to emulate.
Spending time and effort on proactive and strategic communications, in addition to your technology defenses and contingency plans is a valuable investment with considerable returns. Arming all your employees with the knowledge and resources ensures that they know the appropriate proactive actions to take and enables them to be ambassadors for your messages. The end result is a front-line safeguard against data breaches, that protects your organization’s brand value, customer trust, and data integrity.
What have you found to be successful in communicating about data privacy and security with your organization?
Contributing authors: Susan Willett and Dionne Gomez