It’s not because of ill will that your colleagues do not comply with your IT security procedures. It’s not to give the IT department extra work that employees click on links in phishing e-mails or download programs from obscure websites.
For many of your colleagues, the inappropriate behaviour arises because they do not understand the correlations of your IT system. For many non-technical employees, IT is a big, grey cloud that “some other people take care of”.
A security presentation is not enough
Being responsible for IT, it’s your responsibility that all your colleagues understand how and why they should help to protect your organisation’s information security.
In many organisations, this responsibility is carried out by the IT Manager in front of the employees with 54 PowerPoint slides filled with points, statistics and abbreviations, which in fact only data scientists can understand.
Believe it or not, this method is not particularly effective.
Explain IT security in layman’s terms
When you need to explain information and data security, the same principles apply as when a researcher has to explain his work at a family dinner.
It’s about three things:
- Making the subject relevant to the recipient,
- Deciding on the main message,
- Forming memorable images for the receiver.
These three things are essential for your message to get through all the noise.
#1 Why do you want to learn about IT security?
When you need to explain IT security concerns to your colleagues, the first step is to ask why IT security is important to them. It’s not enough to ask the question to yourself. You must actually ask the employees.
Take a handful of employees aside and ask them why IT security is important in their work. Remember to ask colleagues from various functions and departments.
Once you have talked to your employees outside the IT department, you will know which stories and examples to bring up when presenting security procedures to the rest of your organisation.
#2 Decide on a key message
There is always a prioritisation of risks. You know what threats are greatest and what traps your colleagues most often fall into.
Therefore, you also know which security measures are most important for your colleagues to remember. Is the most crucial thing to lock your computer when you leave it, or is it to delete e-mails from unknown senders?
When you need to communicate security measures to employees, you must have this prioritisation in mind. Ask yourself: “If people only remember one thing, what should it be?”
Once you have answered that question yourself, focus all your communication on that goal. Explain it over and over and over again. And in new ways, over and over again.
If you can get employees to remember just one message, you will find that they do not just remember it — their increased attention to IT security will have a “spillover effect” into other areas of security.
#3 Form mental images
It’s not only IT security that is difficult for non-technical employees to understand. As a rule, there is a general lack of understanding about IT. It also means that the starting point for what IT concepts your colleagues understand is much lower than you expect.
As with all other complex topics, it can therefore be useful to explain yourself via metaphors, i.e. imagery. Transform the complex and intangible knowledge into concrete things. Metaphors are extremely useful when you have to explain something abstract, meaning something that you cannot directly sense (in Danish).
When you talk about IT security, try to explain it as if it’s a house’s anti-theft protection:
- Lock your front door when you leave your house = lock your computer when you leave it
- Do not buy from unfamiliar door-to-door salespersons = do not click on links from people you do not know
- When the locks of the house are rusty and do not work, you change them right away = update your software to close security holes
- You are vaccinated before you travel = update your antivirus program before you go online.
By using images and situations that your colleagues can easily relate to, it’s much easier for them to understand why IT security is vital. So, the next time you need to introduce employees to a new security procedure or security measure, keep in mind that it’s only IT professionals who understand your technical language. Ask your colleagues why IT security is relevant to them, decide on a main point, and transform the technical language to images that employees can recognise.