Developing secure behaviours – 10 practical principles for effective change

Poor employee behaviours create risk for businesses

Overwhelming evidence consistently shows that people are at the heart of the majority of cyber security incidents and data breaches. Typically, due to ignorance, carelessness, error, trickery or malice.

In a world of increasing cyber threats, there is wide acceptance that embedding secure mindsets and habits into an organisation’s culture is imperative. However many leaders are stuck between ‘what’ they need to do and ‘how’ to do it.

 

We need to start by engaging people in conversation

We believe that that “conversations change culture”, and it can be incredibly simple and effective.  Raising awareness can build momentum for change, but we need to equip people with the confidence, skills, and knowledge to take the right actions.  Through conversation, collaboration and interaction, a culture of secure behavior can be developed.

Most security training fails because it removes conversation, which is a primary catalyst for change.

You can throw more money at your technology and hope it will solve your problems.  But the biggest opportunity is to strengthen your human firewall and make your people your strongest defence. 

 

10 Practical Principles for Effective Change

1. Conversation changes security behavior

Conversation provides both parties with:

  • context and meaning
  • time for self-reflection of their own behaviour and beliefs
  • insight into new perspectives
  • the possibility of redefining opinions
  • the opportunity to collaborate and identify new processes.

Changing behaviour has to be inclusive. Every individual in your organisation is part of your security culture and has an influence upon it through what they say and do. The process of behaviour change is, therefore, innately collaborative. Switching from a culture of instruction to one of conversation generates the movement necessary to include everyone as the collaborators in the development of ideal security behaviours.

RECOMMENDATION:    Add conversation to your security awareness programme as the catalyst to make change happen. In every conversation you have today, ask: Is there any one thing we could do immediately to make the business more secure?

2. Collaborate for change

Want to know why people share passwords/fail to encrypt/bypass the company systems? It’s tempting to assume that it’s because they don’t care, they’re disengaged, or they’re just plain stupid.
More often than not it is because they are stuck between one of the phases of change. The most common sticking point being between contemplation and action . Or as we like to call it, stuck between knowing and doing.

Telling someone the consequences of reusing the same passwords is unlikely to result in change. The ease and benefit of reuse outweighs, in their opinion, the benefit of changing their behaviour. This is due to the consequence/benefit not being clear, impactful and timely enough to jolt people into action. Therefore the status quo remains!

Collaboration allows the time and space to make each exchange of information personal and relevant to the individual in such a way that may trigger change.

QUICK WIN:   Consider the non-compliance issues your business is currently dealing with. Choose one and make it your business – over the coming week – to talk to employees about why it is happening.

3. Talk about what’s working

How many times have you been in a meeting where you begin by addressing some problems and, by the end, you walk away with more problems than you came in with?

What we talk about and how we talk about it creates our reality.

When we focus on good practice, we get more of it . It’s not about ignoring problems that exist, but a change in emphasis that will help shape the behaviours you are striving for. If we spend more time talking about what’s working, then we pull our attention to those things and more positive things will follow.

Looking for successes enables us to consider how we can build upon them. Encouraging conversations about existing good practice demonstrates a new reality which is part of your security culture: You’re sending out the signal that this is a company where people do things well and strive to do them better, and its workforce is the solution to security. Such a new reality engenders positive feelings, and these, in turn, encourage new positive conversations, which generate new positive actions…and so on.

Here’s an example: You notice that there’s been an increase in the number of employees reporting cyber security incidents. There are two ways this could be talked about. One is to say that awareness is still not good enough, that only a few people have become more vigilant. The other is to acknowledge that people are paying more attention and demonstrating that they care through better reporting behaviours. At this moment we are making a decision about the reality we’ll experience.

QUICK WIN: How does your organisation reward positive security behaviours? Commending people makes them, and others around them, want to do more and better. Is there something you could do today to support the change you want to see?

4. Build alliances that last

Assembling a network of key stakeholders and getting them to buy into your vision is vital to the success of any culture change campaign.

Your plan has the best chance of developing if you share it with others. To begin with, your plan won’t be much more than an opening sentence:

“I want every single employee to consider themselves a part of the cyber security team for our business.”

Don’t worry that your plan isn’t complete at this stage; people will value the opportunity to help you to develop it by making suggestions, adding their own concerns, and talking about it with their colleagues.

These conversations will help you to turn your plan into something your peers will buy into

5. Communicate for engagement

In order to engage everyone in cyber security behaviour change, you need to provide them with regular, accessible, high-quality communications that embody the new culture.
In many businesses, security communications have traditionally been written by people with an IT background. As a result, the language used has been technical rather than readily accessible to the layperson. Lengthy policy documents won’t light anybody’s fire and blanket directives and autocratic instructions sent by email (and not always relevant to the individual receiving them) are easily ignored.
Many forward-thinking security professionals are now seeking more mature methods of engaging their people.

Here are some tips you can use for creating engaging and effective copy:

  • Explain WHY. Once we know why we’re being asked to behave in a certain way, we are more likely to make the necessary change.
  • Always put the person at the heart of any story. Protecting abstract data provides no emotional response, protecting people’s identities does.
  • Use scenarios to get people involved. Describe a security dilemma that could happen to any employee and ask the reader how they would behave in that context.
  • Ignite lively debates. Ask employees to share tips on secure browsing for young people. Breaking down the home/work divide often shifts behaviours.
  • Describe proactive behaviour. Ask employees to nominate an ‘unsung security hero’. Share the hero’s story, their passion for security and their advice to others.
  • Make it topical. Post about big breaches that are hitting the headlines and add your own thoughts and comments.
  • Create events. It doesn’t have to be elaborate; present a weekly award for superior security behaviour. Typically, recognition, rather than a ‘prize’, is preferred.
  • Allow humour. Run a competition to find the best ‘security’ joke and award a prize.
  • Have a sponsor. If there is a real person behind the communication people are more likely to do follow the action.

HANDY TIP: A regular flow of lively approaches to key issues is the most effective way to ensure that learning sticks and curiosity grows

6. Communicate for action

When we start to write a security comms message we tend to know, what we want people to do, how they should behave and why it would benefit them to change. However, to change behaviour we need to think in more detail about our audiences’ needs.

For example, your communication may be highly motivating to someone, but they lack the skills to change their behaviour. Or a person may have the skills required, but don’t believe the extra effort will provide a realistic benefit. Your audience may need a combination of up to 7 triggers as part of your communications programme. Some of which can be delivered electronically, and others which will need a personal touch.

Triggers your audience may need for change to occur:

KNOWLEDGE – “I know I should”
DESIRE – “I want to”
SKILLS – “I can”
OPTIMISM – “It’s worthwhile”
FACILITATION – “It’s easy”
STIMULATION – “I’m joining in”
REINFORCEMENT – “Well done”

7. Train for dedication

Either we train employees with the aim of achieving knowledge  OR  we support employees in their training as frontline defenders of the business

If we go with the former we soon learn that what appears to be a simple task –re-use the PowerPoint, buy in the online compliance tests – actually lands us with the never-ending task of testing, checking, cajoling and repeating, all of which yields minimal returns .

If, however, we treat the process like a personal trainer at the gym, our role becomes different. No-one who regularly attends a gym expects the trainers to do the work for them; the role of the trainer is to guide, support and encourage – it is the trainee who sets the goals, accepts the discipline and is responsible for the outcome.

Examples of proactive training

The key to a good training session is for participants to leave with outcomes. Actions that they have already designed and discussed within the session that they are committed to making happen. If a training session is only one way, people may leave with good intentions to make changes, but without having the time to consider what they might be, business as usual soon takes over and the changes are never made.

Interactive training sessions always promote deep learning; here are some examples of approaches that you may want to try out:

  • Plan a social engineering attack – Who knows the business better than its employees? They know the vulnerabilities, the value of the data and the routes to access it. So ask employees, if they were they were a social engineer, how would they attack the people in their business? You soon find them identifying gaps in their own processes and behaviours that they want to ‘fix’.
  • If your security behaviour were a house – Thinking with your hands’ is a great way to get mind and body working together on a task. Ask employees to imagine their current security behaviours as a house; get them to describe the house, draw it, and make a model. Often employees find their ‘security house’ is quite ‘draughty’. Then ask them to design a makeover.
  • Rehearsing for reality – Ask for examples of social engineering scams that employees have experienced, either at work or at home. Having chosen one, ask for volunteers to act out the situation in order to see exactly what happened. Once you have the scam scenario in front of you, participants work as directors to change the behaviours of the actors in order to achieve a better outcome.

An effective security awareness training session leaves participants feeling motivated, energised and confident in their ability to defend their business and their homes. The effects are long-lasting and they fuel ongoing conversations that – in turn – strengthen the developing security culture.

8. Develop security champions that are on your side

If security culture is a conversation that includes everyone then how ca n yo u make that happen?

You need to begin a shift from the grassroots up. More and more companies are starting to develop networks of ‘Security Champions’. Why? Because they work!

Security Champions are people working in all areas and at all levels of the organisation who take on the role as part of their existing job. They take the security conversation out into the business by making it their mission to communicate key messages, demonstrate good practice and take the initiative when they spot something that isn’t right. Because of their local knowledge of
people and processes they are able to be focused in their approach, determine priorities and tailor what they do to the needs of their particular area or department. And, because they have established relationships with colleagues, their advice will be respected and acted upon immediately. It’s the best method we know for creating targeting messaging!

Who are your champs?

A proactive security culture spreads virally, it happens through conversations, and it begins with a few people who have some key things in common:

  • They take a great interest in security and find out about it regularly.
  • These people are gifted at spreading the word, leading by example and influencing the behaviour of others around them.
  • They talk to many or a range of their colleagues during the course of their work.
  • Their zeal for security energises them and they win over others to the cause.

By seeking out these people and recruiting them to your cause, you have the ability to grow your security team overnight and spread your influence into every area of the business; they will lead the charge towards a proactive security culture for you and create nothing less than a word-of-mouth security epidemic!

9. Make security part of the fabric of your business

The security professional’s dilemma:

Imagine your business as a jar of pebbles. The jar is already full to the brim with pebbles each of which are essential to the ongoing success and growth of the business. You’re trying to add just one more pebble – called security – but you just can’t get it to fit without taking out one of the other pebbles first, or ramming it in which runs the risk of breaking the jar.

The problem is that the pebble is hard and inflexible.

So what if security culture was a glass of water you could pour in? It fits the jar and it reaches all the pebbles without displacing any one of them. The water – like culture – adapts to the space available, and its flexibility allows it to utilize every route within the company.

We’re aiming for security to be woven into the people, processes and products of our organisation and we need it to seep into many everyday interactions.

Conversation and culture work hand in hand. The minute security gets ‘blocky’ it finds itself edged out by all the other calls on people’s time, but weave it through meetings, around existing events, into the consciousness of employees and suddenly its presence is being felt throughout the business – without anyone being sure how it became so much a part of ‘business-as-usual’.

Conversational routes through the business:

  • Induction – Could security awareness become part of HR’s induction programme?
  • Meetings – Could security be included as a standing item on all meeting agendas?
  • Media – What is already up and running that could feature security stories and news?
  • Events – What events are currently planned that security could be a part of?
  • Appraisals / annual reviews – Could security be included on the form and be a topic of discussion in the meeting?
  • Walks between meetings – An excellent opportunity for informal conversations inviting collaboration and offering updates.
  • Lifts, stairs and coffee machines – Places where informal stories can be shared, concerns can be raised and ideas initiated.
  • Quirks – Something random and unexplained. Borrow a life-sized mannequin and sit it at a hot desk hunched over a computer. Leave it there for a week without saying anything. Then start your awareness campaign regarding tailgating and wearing ID cards.

QUICK WIN: Is there a story that would get tongues wagging in your business? What is it, and how can you start spreading it?

10. Measure what’s really happening

Taking the temperature of your current culture

So how can we identify the culture currently operating?  At this stage, it’s worth asking yourself a few questions about what people in your organisation are saying and doing in relation to security:

  • What’s the most important thing to everyone in your organisation?
  • What do people talk about most?
  • How does that affect the way people work?
  • Does security feature on the agendas of team meetings?
  • Do you reward good security behaviours in your organisation?
  • How do employees know if they are behaving securely?

This is not a comprehensive list, but by answering such questions we get a sense of what we are working with, and what, therefore, needs to change

Pulling it all together

Armed with these principles, you’ll see how behaviours can form the basis of an all-encompassing strategy for employee awareness and change. It’s the beginning of a vision to take to the board. Now it needs to be pulled together and tailored to the particular needs and structure of your organisation.

Don’t underestimate the potential power of those quick wins. You can do them immediately without having to make that big pitch (and without budget!) and getting those conversations going with your allies will help you to develop your ideas. You’re already beginning the company-wide conversation that will change culture.

In our experience, small initial steps soon become big strides and once some key building blocks are put in place, its development is exponential. Some of these cost money and some don’t. Some require an initial investment of time and effort but are relatively ‘low-maintenance’ beyond that. But as the new culture takes hold, best practices become habits and old poor behaviours fall away. New employees quickly learn from what their new colleagues tell them, they absorb how things are ‘done around here’ and they adopt the behaviours of the culture readily

Once a developing security culture gains a foothold and gathers some momentum it becomes unstoppable. Yes, it needs tending to on an ongoing basis, but, in essence an established culture is self-sustaining and difficult to break. A truly proactive culture will grow and scale up as your business does, and it will be able to adapt itself nimbly to the changes in technology, attack techniques, and the work and security practices that the future undoubtedly has in store for us.

 

Are you ready to activate your Human Firewall?

If you’re looking for a tool to help minimise your cyber security risks, our Layer 8 app uses conversation to create proactive security behaviours that can be measured.

The Layer 8 Toolkit® is accessible in App or Web-based formats.  Ask us for access to our demo!

 

In collaboration with Layer 8

 

 

Back to all articles