By Lynn Smith
You may recall the shock in June 2016 when the University of Calgary was held hostage by a ransom attack and had to pay $20k to release its data. Or more recently when 50 million Facebook users’ data was hacked. Organizations are increasingly facing attacks by cyber criminals that could cripple them, and having a solid, effective cyber awareness communications plan is critical.
For communicators, developing a plan that is effective – and actually causes measurable changes in staff behaviours – can be challenging. Here are a few things to keep in mind.
1. Develop all elements of a best-in-practice plan including: goals and SMART objectives (Specific, Measurable, Achievable, Realistic and Time-Bound), the proposed approach, and metrics to ensure effective communications.
2. Learn what’s keeping IT Security people up at night; these will inform your goals and areas to focus on. Is it social engineering attacks? Or are employees regularly downloading viruses by using USB data sticks? What are the big picture risks and what behaviours are they concerned about?
3. Take a look at past messaging and determine if it can be built upon or discarded. Many companies use pre-packaged communications and while these may have relevant content, they often do not have impact because employees can’t relate to them. That is if they do not align well with the organization’s brand, they will not resonate well with audiences. It’s better to create new messaging with a fresh visual identity that does align with the brand.
4. Focus the messaging around safe practices that can also be applied at home as well as at work. When employees adopt safe practices in their personal lives, they bring those to the office too.
5. Check government and consultants’ websites such as Deloitte and PwC to learn about the latest risks. Be sure to have your IT Security people review and sign off to ensure any recommendations are accurate.
6. Keep messaging simple and use relatable examples. For instance, I once had an employee share how their Hotmail account was hacked and personal identity stolen. They had great difficulty with creditors for years afterwards. This story brought the risk of using poor passwords and not having up-to-date anti-virus software home very quickly to people throughout the organization.
7. Consider the industry of the organization. For example, lawyers may want to reassure clients that their data files are kept confidential and well protected. Providing some articles about data protection to this audience would be well received and have ‘legs’ in terms of being able to convey additional messages about the brand to external audiences.
8. Don’t hesitate to reach out to your communications network to learn what’s working well in other organizations. Even if they are fierce competitors out in the marketplace, most companies collaborate to fight cyber crime and their IT Security departments talk to each other often. Learn what they are doing well.
There are many other adjustments that can be made to classic communications plans to ensure they effectively engage employees when it comes to cyber security awareness. For communicators to be effective, they must continuously keep an eye on current risks and what is working well for other organizations. In this way, they can deliver a strong plan that works well to safeguard the organization, its information and its employees.
Lynn Smith is president of Convey Communications and an expert in cyber security awareness communications. She is also a freelance writer and marketing professional. You can reach her at lynn@conveycommunications.ca