If You’re Thinking About Cyber Security, You Should Also Think About Behaviour Change
It’s no longer an option to view cyber attacks as something that happens to someone else, some other organisation, or just a technical issue. It’s now standard practice for all large organisations to have measures in place to protect themselves and their assets, and these measures often include an element of culture and behaviour change.
I’ve recently been involved in a project where I helped a client change the way their workforce viewed cyber security and embed a set of new highly-secure behaviours.
The project has been very successful and I’ve even found my own behaviour changing as a result – I’ve signed up for a password manager and my laptop is now a veritable fort knox!
So what do we mean by cyber security?
In its simplest terms, cyber security is the protection of an individual’s or organisation’s cyber assets.
To protect cyber assets you need to worry about physical security as well as cyber security. This is where you need to think about the culture and behaviours of the organisation – there’s no point having great firewalls in place, if you leave the door to your server room open!
What is a cyber threat?
There are a number of different types of cyber threat, including state-sponsored attacks, insider threats, cybercrime, cyberterrorism, physical threats (staff members leaving doors or computers unlocked) and ‘hacktivism’ (hacking a system for social or political gain). Each company will have a different profile in terms of which of these threats are the most probable and how serious the consequences of a breach could be.
How does an organisation protect itself against cyber attack?
If people don’t understand, endorse and actively support cyber security consistently throughout an organisation, it’s just a matter of time before the best of systems will be compromised.
As change professionals, the area we add value is in helping our clients identify and embed the behaviours that will support the other measures (such as technological protection) they have in place. This isn’t just a ‘nice to have’ – if people don’t understand, endorse and actively support cyber security consistently throughout an organisation, it’s just a matter of time before the best of systems will be compromised.
Affecting large-scale behavioural change
Let’s be clear about one thing: change is hard! I get uncomfortable changing my brand of toothpaste. So effecting meaningful, lasting change can’t just be a top-down approach. For behaviours to adapt, and for change to be truly adopted, all affected staff need to take ownership and understand the importance of the change.
Here are some key methods and approaches we use at Afiniti to help our clients ensure long-term and sustainable behavioural change is achieved across the whole organisation.
1. Build sustainable toolkits and communications
This can’t be a one-off short-burst campaign, it needs to be rolled out over a period of time for the desired behaviours to become embedded as second nature.
To help maintain a high level of interest throughout the project, try a mix of communication styles from hard-hitting and informative to softer, more subliminal messaging.
And lastly, by using a blend of channels and methods, plus appropriate language and tone, you can ensure your key messages reach all intended audience groups.
2. Co-create and utilise real people to generate awareness and validate the programme
Take the time to understand people’s opinions and insights into their areas of work, and then involve them in the project planning and execution. This way you’ll not only gain a more rounded understanding of the business needs, but people will feel invested in the project from the beginning.
Once people feel on board and understand the importance of the changes, work with them to create content such as short videos and workshops. This type of user-generated content can really help with marketing to external audience groups, so why not reap the benefit for your internal communications efforts too? It’s often cheaper, more authentic and more trusted by internal audiences.
3. Use creative and eye-catching visual assets
As they say ‘an image can convey a thousand words’ and this is certainly true when you’re trying to present a set of important key messages. Trying to condense a long white paper into a punchy animation or presentation can be a difficult thing to do, but it also forces you to concentrate on the things that really matter and helps to bring ideas and concepts to life.
4. Create a security champions network
By giving tools and training to a group of security champions, you can create a community which supports the wider workforce on a day-to-day basis. The champions can share experiences, best practice and be a point of call for questions, ideas and concerns. It also really helps to see respected colleagues modelling the desired behaviours.
It’s important to bear in mind that changing behaviours and mindsets doesn’t happen overnight, these things take time to embed. The tools and approaches above will help you maintain momentum and create the emotional engagement you need to embed the desired ways-of-working on a permanent basis.
If you have any interesting insights, or experiences of behaviour change related to cyber security, we’d be interested in hearing from you, so leave us a comment.