Beyond Cyber Security: How to Create an Information Security Culture
With just under a year until theGDPR (General Data Protection Regulation) comes into force, can you say that the data held by your market research department or agency is secure? Are you reading this thinking “What is the GDPR?” Or perhaps you sit somewhere in the middle…
To clarify, the GDPR imposes new requirements on organisations handling personal data and also extends those of the current Data Protection Act. It is not this regulation specifically that I want to discuss today, but rather the big picture challenge associated. The challenge that underlies the success of all insight business GDPR / information security policies: how to achieve an information security culture.
Before we proceed it’s important to clarify what we mean by information security, particularly with respect to the market research industry. Information or data security is often assumed to be a cyber security issue. I have heard the terms used interchangeably when in fact, cyber security is a subset of information security. TheGlossary of Key Information Security Terms - NIST (National Institute of Standards and Technology (US Department of Commerce)) states:
Cyber Security The ability to protect or defend the use of cyberspace from cyberattacks.
Cyber Attack An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Information Security The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
These NIST definitions demonstrate the holistic nature of information security and the reason that we must go beyond cyber security as market research practitioners. Ours is to protect all respondent and client data, be it held in cyberspace, in unconnected systems, via hard copy reports, even in the memories of employees.
Creating an Information Security Culture
Whilst technology and the cyberspace certainly factor in the information security landscape an information security culture, the most effective approach to information security practice, comes from the interplay between technology, process and crucially people.
With that in mind, here are my 5 top tips for creating an information security culture in your market research space.
1. Top Down Leadership
Without doubt, strong and committed information security leadership is the key to cultural adoption. Employees take their cues from top management and the tone they set. When it comes to information security the top down message must be positive, sincere and focused on the business benefits. Avoid positioning its practice as a ‘complication’ or ’inconvenience’ – unless of course you want your insight professionals to think this way too.
2. Corporate Objectives
Including insight information security elements within your corporate objectives sends a clear message that they matter. Make related objectives specific and measurable... and do measure them regularly!
When defining your objectives, ensure that they are balanced. Never focus on the function of information security technology alone. Unless you work with IT, information security technology has little meaning. It is essentially invisible. A technological focus will lead researchers to rely on it, to think that it will do all of the information security work for them. This is entirely the opposite of the message you are aiming for. Targets for attendance at training sessions, knowledge and best practice are much more inclusive. They encourage employee ownership and long term cultural buy-in.
3. Creative Training
For an information security culture to thrive all insight department or agency members must be kept up to speed with information security policies. A program of awareness training is an essential component. To ensure that this translates positively I advise adding context.
Information security training should always begin with a review of potential data threats. You can make these meaningful by personalising them. Ask attendees to consider the information that other organisations hold about them, and to think about how they would want that information handled. Using real world examples to demonstrate how their data and that of their family members should be protected as well as the impact on them if it isn’t will resonate to a much greater degree than simply providing a list of market research do’s and don’ts. It brings in-house policies and processes to life, stops them feeling abstract.
Remember the format too! Who says awareness training has to be delivered in presentation lecture style? Vary it with workshops, role play and video clips to get the message across.
Like most things, an information security culture takes time to establish. Your training programme must be both continuous and frequent to be effective. People have short memories and limited attention spans sodon’t confinetalking about security to formal training. Identify your key messages and look for ways to create ‘infosec moments’ in the daily routine of all market research employees. Use posters, emails, newsletters, etc. to remind them of the value of information security and their obligations to it on a regular basis.Do confineyour infosec moments to repeating these key messages. Save the introduction of new policies, processes or requirements for dedicated sessions to avoid dilution.
5. Carrot Not Stick
It can be tempting to resort to scare tactics when it comes to information security. A serious breach carries the potential for significant financial and reputational repercussions… scary stuff! Clearly it is important to make insight professionals conscious, on a personal and organisational level, of the fall-out of not taking information security seriously. Doing so encourages accountability but take a measured approach. If you go too far you risk creating fear culture which can be counterproductive for a number of reasons.
1.“It’s never going to happen” - Humans have a tendency to shy away from the worst case scenario and are likely to underestimate the probability of it occurring to them. This can lead to an, “it’s never going to happen” attitude, which undermines the perceived importance of information security.
2.“What do I do now?” – When people are scared they tend to respond automatically, blindly and rigidly, following procedures without understanding why. The risk here comes when there is a deviation from the norm. Without understanding insight employees are unlikely to have the wherewithal to react appropriately.
3.“Shushhh!” - Fear encourages covert behaviour. When things go wrong what can start out as an information security near miss can easily escalate into a serious incident if researchers are fearful of admitting mistakes and voicing their concerns.
Counter the fear culture by demonstrating consistent and fair reactions to insight information security issues. Be clear about your expectations of staff, identify the lessons learned from near-misses and use them to action change collaboratively.
Without being scary myself... It has been estimated that72% of businesses that suffer a major information security breach will shut down within 24 months. Initiating a positive information security culture within your insight department or agency is not only a significant enabler to achieving GDPR compliance but a prerequisite to long term ‘stickiness’ and potentially survival. I hope you find my tips for doing so helpful and if you have any of your own please do share them below.
Louisa is a self-described Info Sec Warrior, who has been key to FlexMR obtaining the ISO 27001 and Cyber Essentials Plus certifications. She is responsible for our information and data security processes, using her extensive knowledge of market research and attention to detail to ensure that we provide the highest level of security possible. You can follow Louisa on Twitter.