Don’t let complacency put your facility’s security in jeopardy
When people first start off in the security world, the standards they’re held to are fresh. They’re newly trained on them, bringing them to the forefront of their minds, and they make a point to follow procedures to the letter, whether out of a desire to impress or a fear of making mistakes.
However, as they get more comfortable in their roles, those standards may start to drop. Someone who always dutifully locked their computer when they walked away from their desk starts leaving it open, figuring since nothing has happened yet, it won’t in the future. They forget their badge, leaving it out after they head home for the day. This type of complacency, brought about by overconfidence, can be a major security threat to your business, as it creates a potential negligent insider threat.
These employees are like drivers who have had their license for a long time. When they first started out, they may have been extra careful about following the rules of the road, coming to a full-stop at stop signs, staying within the speed limit, and always using their blinker when merging. But after years of no accidents, they assume they can push their limits a little more, raising their speed and being a little bit more reckless. That’s when the accident does happen. So how do you convince those long-time employees to get back to following those easy-to-forget procedures before they get your company into a collision?
Education is Everything
Your annual refresher trainings will be a large part of reaching your complacent employees. However, that means you need to keep them engaged and drive home the importance of maintaining security. You can accomplish this in a variety of ways: adding interactive sections to the presentation, using humor through memes or jokes, and using real-life examples of how security issues affect personnel and businesses. If you can create a memorable moment in training, it will stick in people’s heads better, and it might just be the lightbulb moment a long-time employee needs to remember why these security procedures really do matter.
Training is an important part of keeping personnel following procedures, but that can’t be where it stops, especially if they’re only hearing it once a year as part of an annual refresher. You have to find ways to integrate learning moments into your day-to-day work, especially if you have someone who is consistently making the same mistake.
Make it a Game
Different people will respond to different styles of learning. For some, a verbal reminder in a training is enough. However, as a leader in your company, utilizing different ways to reach your employees will broaden how many people you can reach. Gamifying some of these procedures can be a great way to reach people who might otherwise miss the message, and they can be made a more regular part of company culture.
Do you have an office-wide issue with people leaving their computer unlocked when they leave their desk? Let employees know the security team will be on the hunt for people doing this, and if they’re caught with their computer unlocked, the security team will send out a “hacked” message to the office group chat. People who were hacked will owe the office, their floor or their team a box of donuts. Make sure it’s only the security team sending these messages, though, so that employees aren’t seeing potentially sensitive information on others’ computers. The next time someone who got “hacked” goes to leave their desk, hopefully they’ll remember the annoyance of buying donuts for everyone and lock their computer to avoid doing it again.
You can also take an open laptop as an opportunity to change their background to something humorous or silly. This can also work if someone isn’t practicing good password security and leaves their passwords written out on their desk. If someone is consistently forgetting their badge at their desk, hide it and let them know they’ll have to find it. All of these create teachable moments that can also offer some levity. The most important thing is for employees to be consistently reminded to follow the procedures that matter.
Remind, Remind, and Remind Again
Even if you’re a one-person security team, you aren’t alone on building a security culture. If you’re running into a specific problem across the company, like people not locking up secure information, get managers and team leads to help you with driving it home. They most likely see their team much more frequently than you do, so ask them to bring it up in their meetings. If your company has regular all-hands meetings, either discuss security concerns there or have whoever runs the meeting make an announcement on your behalf. Send emails discussing the issue. The important thing is that personnel aren’t only hearing about security topics once a year, but that you’re finding ways to regularly put reminders in front of them.
But again, not everyone learns the same way, so you can also add a visual element to your reminders. Hang up colorful and eye-catching posters in your office that depict the security procedures. You can even set up a motion-activated vocal recording that reminds people to lock their information away at the end of the day.
It’s also crucial that the security team is setting the example. A robust security culture comes from the top down, so if the people meant to be enforcing the rules aren’t following them, people will think the rules simply don’t matter. Of course, discipline also has its place in security, and if even with all these different types of reminders, people are still failing to follow procedure, it’s time to have a conversation with them, write them up, or seriously consider if a job in security may not be right for them.
If you’re an FSO wanting to improve the security culture of your company, Adamo can help. Our FSO support team can offer engaging trainings and take tedious work off your plate, freeing you to work with your people in a more meaningful and direct way.