There's nothing quite like a company-wide directive to spread a sense of malaise at the office, especially when it's about data security--worse yet if it comes in the wake of a data compromise. It is critical to approach the issue in a productive, non-threatening way.
All the good intentions in the world can't keep "information security" from instilling insecurity in the hearts of most employees. Call it "infosec," as your company's go-to insiders may be wont to do, and you may actually be able to feel the panic ripple through your organization after hitting "Send."
The threats out there are real and growing, but the business must still function as a business. So, is there an effective way to communicate what your employees need to know without negatively impacting morale?
Let's get back to that company-wide directive.
While people already familiar with information security advice may feel like they're working with clueless individuals, those to whom the communiqué is completely novel will start wondering if they're about to get hauled into a meeting with human resources for some vaguely understood crime against the company.
Get that message a little skewed--or write something less than crystal clear--and you will add confusion to an already worrisome climate. It doesn't take much for a simple note about best practices to create a toxic work environment.
How do you know it's toxic?
There are tell-tale signs. People are paranoid. Conversations around the water cooler--or vending machine, or company omelet chef--take on a gloomy cast.
When a mistake is made, you can almost hear the screams of people getting thrown under the bus. People feel like their every move is being judged. The stress level is high and output... well, not so much.
The first way to stop things from going bad is simple. Make it clear that while the goal must be prevention of compromises and protection of data, many breaches have become unavoidable.
If one happens, which it very well may, the organization will get through it together. Mistakes happen, and the goal is to avoid making them whenever possible.
Data breaches have become the third certainty in life
They're right behind death and taxes, and the numbers are staggering. Companies large and small are being assaulted on an hourly basis by hackers of all stripe (state-sponsored, for-profit, cause and "because I can") and for many organizations, their employees, customers, partners and vendors, the results are indelible.
For some enterprises, a significant hack--the average cost per record breached was $154 in 2015--can be a near-extinction level event.
One way to get people in a better place to hear what you have to say is to place a flashlight under your chin and tell a scary story. But, make it real.
Here's a generic example: A guy from the accounting department stops his boss as he is walking past his office--finger poised over the send button--to ask why the CEO has requested that he provide by way of email all back-up data and supporting documents for personnel W2 forms.
The manager has no idea what he's talking about. The employee shows him the email.
It is a fake. A scammer spoofed the boss's email.
He or she had done their homework, spear-phished the employee and he was literally one keystroke away from sabotaging the entire company and putting his job, and the sensitive personal information of all his colleagues, in jeopardy.
What can I do?
Stories illustrate the various risks out there and are very good tools to help create a culture of information security.
There is specific knowledge out there, and it needs to become the lens through which employees actually see and move through the world, especially if they are working with sensitive information.
But this holds true even when employees are having "non-sensitive" interactions with colleagues internally or dealing with individuals and vendors outside the organization about day-to-day issues (remember, Target got hacked through the infiltration of an HVAC vendor).
"To All" emails are not a great way to communicate the need for a paradigm shift at an organization. More often than not what you're communicating through mass communications is something quite unintended--something viral and highly contagious, like a zombie plague, only worse for the bottom line.
It's called fear.
Here's the main thing: Tell stories, and sew awareness into the fabric of your organization's day-to-day.
And never forget, as many military leaders are fond of saying: Fortune favors the prepared.