Creative Approaches to Security Awareness Training
WHEN LONDON-BASED Barclays Bank PLC launched a new information-security risk-management campaign for employee last year, it did so in red-carpet style. To reinforce corporate security policies among its 150,000 employees worldwide, the company produced a 22-minute “mockumentary” film, handling with humor such blockbuster security themes as incident reporting, appropriate disposal of confidential materials, and password security. Then, not to be outdone by Hollywood, Barclays unveiled the film with a movie premiere.
“We wanted to have something that would grab people’s attention a little bit, be entertaining to some extent, but also deliver some important messages,” says Mark Logsdon, Barclays lead information risk manager.
Companies worldwide face significant threats to their proprietary information from employees, studies have shown. While security leaders recognize the risk, many companies are failing to mitigate this risk by communicating effectively with employees.
IT industry analyst firm Enterprise Strategy Group (ESG) recently surveyed 308 European and North American security professionals from companies with 1,000 or more employees. Respondents said that training users on confidential data security policies was the most important measure for protecting proprietary information, followed by physical security and access controls for the data needing protection.
When asked to rate their own organization’s performance in communicating policies and training employees on these policies, 38 percent of European security professionals judged that it was either “fair” or “poor,” compared to 24 percent selecting those ratings in North America. Doing a poor job of communicating security policies to employees creates “an unacceptable level of risk” and should be a high priority for chief information security officers, the study says.
When IT personnel do communicate policies to employees, they often use nonverbal and indirect methods, such as e-mail, pop-up-messages during computer login processes, and voicemail, according to a 2008 report from Cisco Systems, Inc.
Barclays advertised its film internally through enticing email messages, a movie trailer, and a two-week poster campaign building up to the release of the film on the company’s intranet.
Logsdon says the project has been a success both within the company and in the security community at large. While it is difficult to gauge how many employees are following the best practices, the message is being heard. Intranet traffic “went through the roof,” Logsdon says. The project was also a finalist in the SC Magazine Awards Europe for information security project of the year.
More important, the film helped Barclays attain ISO 27001 accreditation, which sets a standard for information security management systems. The campaign also pleased British regulators,
Jim Shields, creative director at Twist & Shout Communications, the digital media company which Barclays commissioned to create the campaign, says that Barclays is not alone. Twist & Shout was also recently hired to create several short information security videos reminiscent of the television show The Office for Paris-based Alcatel-Lucent.