Is the cybersecurity operation in your organisation suffering from a killjoy reputation? Too often employees can see cybersafe practises as an additional level of governance and regulation that they don’t need, and a barrier to their autonomy and inspiration. We know that a sense of freedom and independence is what’s needed to create the right culture and environment for project success and high-performing teams – so how can this be balanced with the implementation of essential security measures?
Here are five ways cybersecurity can be repositioned as an enabler of experimentation and creativity, rather than limiting red tape.
- Introduce the right technology
Among the key reasons people are known to buy – a product or an idea – are to prevent losing money, save time, avoid effort, prevent stress, protect themselves and family, and have peace of mind. All of these are relevant when it comes to cybersecurity. It’s just that it’s not often presented in an appealing way, with technology that actually does make people feel that they are saving time, avoiding effort and stress while at the same time protecting themselves, their company and their family so they can have peace of mind.
Here lies one of the most important elements of a successful cybersecurity campaign: picking the right technology. No matter how aware employees are of the importance of cybersafety, that awareness will not translate into habitual adherence to secure processes if the technology you are employing causes them increased effort, wastes time and adds to stress.
At Victoria University (VU), we’ve had a great success by finding a balance through the technology we implement. For example, our Multi-factor Authentication is easy and straight forward to use, adding the protection the business needs without bothering staff too much and giving them peace of mind that their accounts and hard to break in to. Or, in our journey to give staff more control over their information and documents, we’ve implemented the Azure Information Protection toolbar, once installed, it’s as simple as picking option 1, 2, 3, or 4 and future enhancements will focus on improved security and minimal process impact.
- Embed security consciousness
One of the simplest and most effective ways you can make cybersecurity a personal priority for employees, or anyone, is to present it as essential knowledge for modern society – as a life-skill they will always need to employ both in and outside of the office environment.
In our approach, we are always careful to highlight this aspect of cybersecurity in our communications, by including real world examples of hacking victims and alerting our audiences to current scams and cyber threats to keep it relevant. We also partner with external initiatives such as the Australian Government’s Scams Awareness Week and the global Safer Internet Day, focusing our awareness activities on the relevance of cybersafety beyond work by inviting employees to attend workshops on online safety for families and offering advice on how parents can protect their children from cyber threats and bullying.
If you can make cybersecurity something that individuals are invested in personally and care about on a human level, because it relates to their own lives and that of their families, not just their company’s intellectual property, then you have achieved one of the most significant goals towards adopting a cybersafe outlook across the organisation.
- Employ change management principles
To effect any change on an organisational level, it’s imperative that you have an understanding of what motivates people to want to adopt new knowledge and processes.
Our cybersafety campaign operates in the form of an ongoing program of work, complete with a project manager, and, funded through the University’s project management office, we have access to the necessary skills of highly knowledgeable business analysts and change managers who are able to use their expertise to support our activities such as regular phishing tests across staff to measure cybersecure mindset and safe behaviour adoption and readiness.
Employing principles such as ADKAR (awareness, desire, knowledge, ability and reinforcement) and project activities based around these has enabled us to create tangible and concrete, lasting outcomes.
- Make it fun and market it
At VU, our cybersecurity team sits under the department of Information Technology Risk, Security and Digital Networks. But that’s not how students and employees know it. We created “VU Cyber”, a catchier name for our cybersafety awareness activities to take place under and embody a recognisable brand that is underpinned by the tag line “Safe, Savvy and Secure”. Working with students in design and marketing, we co-created the VU Cyber brand identity through a strong logo, and marketing awareness strategies including posters and print collateral such as booklets on quick and easy cybersafety tips distributed across campus to staff and students.
We continue to approach cybersecurity from a marketing stance, with positions on staff dedicated to influencing students and staff through regular communications such as our Get Savvy Journal, a regularly updated website (internal and public facing – vu.edu.au/vucyber), meaningful and appealing merchandise like VU Cyber branded webcam covers, binge-streaming of cybersecurity thriller Inside Man, accompanying quizzes and competitions, and even keep cups.
In this way both students and employees stay engaged and upbeat when approached with cybersecurity advice, leading to a beneficial and enjoyable association with the experience and information. It’s common sense that when people are having fun, they are more open to ideas and more likely to remember things in a positive way.
- Be a partner not permission granter
Finally, you can change the perception of your organisation’s cybersecurity element by creating an environment where you are seen to be working together with all employees as a partner and equal that helps facilitate all their endeavours, just in a safe and secure way.
No one likes to feel that they are working under a dictatorship or ruled by strict guidelines, but through techniques such as those above, and others such as building strong relationships between managers and cyber risk managers, offering dedicated and custom team workshops to discuss personal cyber safety, and communicating consistently across all available channels, you can achieve a supportive ecosystem between employees and cybersecurity teams.
You’ll know this is working when you are no longer having to proactively campaign towards safer behaviours, but are in fact approached by groups around the organisation for your support, insight and expertise.
