Some things that are unthinkable today:
• Driving without a seatbelt.
• Smoking while pregnant.
• Throwing litter out the window.
• Leaving a campfire smoldering.
Yet all these behaviors were once common practice.
One critical factor—Effective public service announcement (PSA) campaigns gradually changed people’s behavior.
The classic PSAs that ran in the 1970s through the 1990s were so powerful that the images are even recognized by today’s millennials.
The PSA strategy has a lot to teach those working in the cyber-security realm.
Employees represent major risk
There is broad agreement that the frontline of the corporate cyber-security war is the people within corporations.
As much as 95% of all incidents occur because of human error. Therefore, shifting employees’ behavior is essential for organizations to prevent enterprise-jeopardizing data breaches.
Corporations could vastly decrease their risk by leveraging these five best practices from PSAs for internal cyber-security messaging campaigns.
1. Focus & Simplicity
Smokey the Bear says, “Only you can prevent forest fires.”
The message is brief and clear. Your actions cause wildfires, so you can prevent them.
Most cyber-security presentations are awash in information. Cyber-security trainers, of course, want the learners to grasp as much as possible. Swamped with detail, people quickly become paralyzed.
In terms of shifting actual behavior, however, you have to pick one thing at a time, or a very few. Focus on a small subset for your internal messaging and “PSA campaign.”
What should you choose? The most critical messages for most corporate employees are
• Effective password management. Have complex passwords. Change them periodically. Don’t share them.
• Practice email caution. Be suspicious of what you receive and don’t click on links.
• Protect sensitive company data. Don’t post on file sharing sites.
• Report a breach. Tell someone if you clicked on a suspicious link or lost your device.
If you watched TV in the 1970s, you remember the Native American with a tear rolling down his face.
This ad personalized the effects of littering. It was no longer a victimless crime, just a soda can tossed out a car window.
Cyber-security can feel complex and removed from daily life.
Who is affected by a data breach?
Who will be hurt by an individual employee’s carelessness?
You need to answer these questions for employees so they understand why they should care.
Consider this example:
Meredith, a single mom, can’t get a mortgage. After an ACME Company data breach, her identity was stolen and it ruined her credit.
Company data is Meredith’s data. Treat it with the care it deserves.
Remember these classics?
“Friends don’t let friends drive drunk.”
“This is your brain on drugs.”
“A mind is a terrible thing to waste.”
These messages have been repeated so frequently, they roll off the tips of most Americans’ tongues.
Reaching the whole country, over and over again, costs millions. Repetition within a corporation is easy and economical by comparison.
Your internal cyber-security campaign messages can be placed at the bottom of your emails, in the halls, break room, and restrooms.
4. Give people an action
Consider these classics from opposite ends of the civic threat timeline:
“Stop, drop and roll.”
“If you see something, say something.”
Give your audience some concrete action to take. Battle your own frustration, and that of your IT department, about the dozens of things you want your employees to do.
If all employees did a better job on A, B, C, D above, every corporation’s data would be more secure.
For example, if you wanted to inspire employees to come up with better passwords, you might put up posters that say:
“My first apartment had 3 rooms, and the rent was $400.”
Your life makes a great password!
5. Use a strong image
Remember those mangled crash dummies?
“You could learn a lot from a dummy. Buckle up.”
An image that shows the concrete consequences of actions, especially in a metaphorical way, triggers strong identification responses in the viewer.
Some examples of images that convey cyber-security messages:
• An unlocked front door.
• Valuables left in plain sight, such as on a front lawn.
• A leaky pipe.
Changing behavior does not happen overnight, but it’s critical to achieving data security within corporations. Including PSA-style messaging campaigns is a necessary tactic in the cyber-security war.