The answer is to embed your ICT Security Policy. We have now reached the point where the ICT Security Policy requires the same level of adoption that HR policies, like occupational health and safety, anti-discrimination etc. have had for years. However, we’re a long way off achieving that, in most organisations here in Australia.
So how do you create a collaborative culture to embed the policy within your user base?
1. Your policy document
First, the policy document needs to be “user-friendly” and up to date. Obviously if the information isn’t current, it lacks relevance and credibility. It should also be succinct. If people know they are going to be asked to trawl through tomes of information they won’t read it, let alone absorb it.
Language and context should be easily understood and tailored to the audience. Before you can “embed” your policy, review and update the document if necessary; some organisations may need to develop a whole new document.
Collaboration is not supported by a policy which has clearly not been written with users in mind.
2. Getting support at senior levels
Second, executive sponsorship is key to changed behaviours and a collaborative security culture. If you’ve just completed a new ICT Security Policy, take advantage of the opportunity to use the approval process with your senior leaders to get support.
All leaders should be concerned with information security and understand the risks associated with data breaches. However, if you can’t reach that senior level to inform, and support them to work with you, hire external support to run a few “awareness” sessions for senior people, covering the risks and the policy.
Modelling behaviours as described in a policy you expect people to follow, is a powerful way to create change and collaboration. We recently reviewed a decision made by Fair Work Australia. After dismissal of an employee not following policy, the decision went against the employer. The Commission found that senior management were also not following policy and had not made the policy sufficiently known.
3. Educating Users
Third, running an education campaign with your users is essential. Many organisations still don’t run any kind of awareness. The document is published and that’s the end of it. All users need to review and be familiar with the policy to create strong adoption.
Sadly, most organisations don’t realise the terrific upside to running an education campaign; during awareness sessions and other activities, we know that users open up and ask questions regarding risks and they ways they use technology. Such discussion provides great insights for ICT to target their efforts to manage risk. It also provides the opportunity for collaboration and a focus on effective information governance across the organisation as a whole.
We recommend a mixed model for delivery; a campaign may include, the policy document published internally, a video covering the key points and directing users to read the policy document, tips and tricks once a week pushed out across the network, lunchtime brown bag sessions about new risks relevant to new equipment/systems being rolled out and/or after a security incident. Refresher awareness sessions should be conducted when the policy is reviewed ie every 12 months.
4. Educate users about information security, not just cyber-security
An additional point; media reports on cyber-security and major hacks appear almost daily, but the campaign focus should be much broader than cyber-security, because so is the risk. Usually, the term cyber-security is in the context of an “outsider” threat with malicious intent. But what about raising awareness of the risks of data breaches due to simple human error? This is often forgotten and should be included in an effective education campaign. The mobile devices we carry with us outside of our usual work environment say, to and from the car or external meetings present risk, but so does leaving a hard copy file full of customer data on a train.
Information security is everyone’s problem so a collaborative approach to ICT Security is what is needed now.
ROI Solutions can assist you to achieve collaboration in your organisation through better documents, awareness sessions for senior leaders and education campaigns for users. Please contact us at roisolutions.com.au or on 1300 264 946.