In today's global office, IT security leadership spends a great deal of time and resources creating a defense-in-depth approach to data security. This often includes layering on both logical and physical solutions as well as detailing out policies and procedures for accessing company data in a secure manner.
However, at the end of the day, this information is regularly being retrieved and used by the workforce at large and only including an overview on data security in an employee handbook won't guarantee that these records are kept safe.
There is a need to create value around company data and one way to do this is to ensure that the workforce knows and understands the threats that are out there and the measures that are in place to protect against them. The following are factors for companies to consider when creating an effective data security communication plan.
Target your audiences. Most companies have a diverse workforce with varied backgrounds and ages. The communication efforts that resonate with Millennials may not work for Baby Boomers. Try different types of communication to see what resonates most with these different audiences. Newsletters, announcements at staff meetings, reminders in break rooms and cafeterias, blog, vlogs, podcasts, screen savers displaying data security and privacy messages and even games can help disseminate the message.
IT security teams can also divide workers into those who will support company policies, procedures and best practices as well as those who may be a barrier to success. Targeted efforts with the latter will help to shift their priorities to include data privacy and security.
Provide Ongoing Education. Security and privacy trainings typically happen during the new hire process but it's important to not stop there. The first few weeks at a company are often overwhelming and jam-packed with information. To make sure that policies are being adhered to and best practices followed, follow up with six-month training courses and create a schedule of ongoing educational programming on data security. Try mixing in-person seminars and interactive training modules with online sessions for maximum effectiveness.
Make it Personal & Relatable. To the general workforce, data security may seem like an intangible thing. Utilize real-world examples and case studies to make policies and procedures -- as well as the consequences of not adhering to them - more real. Answer the questions "why should I care?" and "what's in it for me?" Talk to workers about how they uphold privacy in their personal lives and then help them transfer these tactics and values to their work lives.
Encourage a cultural change. Walk through any office space and you'll likely see employees displaying proprietary information or login credentials on device screens. This can lead to visual hacking - a low-tech method used to capture sensitive, confidential and private information for unauthorized use. You may also find confidential documents left in printer trays and encounter workers talking about sensitive topics in the hallway. In this situation, data privacy clearly isn't a central aspect of office culture.
IT security teams must work to create a self-policing organizational culture, where all employees buy into the importance of data security to the overall health and growth of the company. In the previous examples, employees should take confidential conversations into private locations and face screens toward the wall coupled with the use of privacy filters to protect confidential information.
Equip employees with a data security toolkit. Account for both high-tech and low-tech data security threats equipping both BYOD and company-issued devices with a data security toolkit. Take inventory of how and where these devices are being used and roll out security tools using a risk-based approach. Further remove the human factor by creating a process through which new company devices like laptops come pre-installed with data security software, privacy filters and laptop locks. Literature explaining how and why these measures were taken can reinforce security and privacy messaging.
Data security is not one size fits all, nor is a data security communication plan. Finding the ideal fit for any company may take trial and error, but an educated and mindful workforce will serve to support the mission of IT security teams tasked with keeping confidential information just that - confidential.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.