I surprised my son last week. He was in the proverbial doghouse for dropping the family laptop. Now the crazed crystal garden that was growing across the screen with cracks like scale San Andreas models could only mean one thing…something expensive was going to happen. Lessons are important when given a personal edge, and there was a mixture of compassion and awakened responsibility when we made the decision that he’d have to fund the repair from his savings he’d accumulated over the last nine months (mainly due to birthday funds sent from remote relatives), and the new bike would as a result have to go on hold. Cruel to be kind. Perhaps. Where I surprised him was this…I told him that he was now the member of the family I’d trust most with the laptop. He was speechless. But what was nice was the beam that shone from his face as he guessed correctly why I was awarding him this new level of trust. He had vaguely known about being careful with electronic devices prior to that incident, but like the labouring minister in the pulpit, it always seemed like the real message had been for the person sitting next to him. Until tragedy had struck. Now he knew the consequences of carelessness.
Now of course we can’t wait for everyone to have their Damascene moment of tragedy and revelation. It’s no good bombarding people with a constant stream of scary messages. The recipients could easily become desensitised to it all. By the time you get to Friday the 13th: Part IV, the gore is more comedic than shocking. And it’s the same with security.
Banks are driven by regulation. OK. Sometimes it’s about working around the regulation, and we see where that got us. But on the whole it’s about following a whole lot of rules. Sometimes you may get away with it, but when you don’t, the effect can be catastrophic. So it is with security. Every business has explicit regulations of compliance to contend with – accounting rules, caring for personal information about customers and employees, and so on. We want to get the widgets off the production line, get the service staff out to the clients, and keep track of the invoices and receipts. Don’t hang over your staff like the proverbial sword. After all, you won’t have time, and they will soon be immunised to your ever-watchful gaze. At the same time, don’t expect everyone from the switchboard to the board room will become experts on all threats to the business and the regulatory environment.
What you need to do is make small inoculations of knowledge and know-how. Instil a bit of pride. Make the recipients beam about their attention to data protection, appropriate use of social media sites, and protection of tangible security measures such as passwords, ID cards, and padlocks on the filing cabinets. Make them active defenders in the battle with unknown assailants who could easily wipe their jobs off the map from a warehouse in Belarus.
Security should be a natural part of the business culture tempered by the level of threat. We don’t all have to protect a power station, but we do need to protect our jobs without security taking over and leaving us either like the proverbial deer in the headlights. If you want to get compliance as much a business mainstay as collecting a wage slip, you need to give your staff easy steps to succeed in. Just as they edge their way day-by-day to the end of the month, and just as the salary payments are a cycle, so too are those messages of how to make information security a norm in your business. Repeat them in small engaging eddies of activity with ways for staff to be rewarded for good behaviour as well as understanding that there has to be action (i.e. specialized training) for repeat offenders.
In the meantime, new laptop screen ordered. Waiting for the bill. Lesson learnt. But no doubt small, kind reminders will be still be needed as my son grows up.