How much do your employees trust your company?
This wasn’t exactly a question we were seeking to address via our 2019 Eye on Privacy Report. But then one trend revealed itself as we parsed through the responses from the 1,004 members of the working U.S. public who took our survey.
The trend came out of the incident reporting section of the report, which presented respondents with a variety of workplace scenarios and asked them if each should be a reported as a potential threat to sensitive data.
One of these scenarios asked whether IT staff installing software to track employee internet usage on a work computer was such a threat. This question split respondents down the middle: 35% said it was and should be reported, 35% said it wasn’t, while the remaining 30% were unsure.
Though this scenario involves the monitoring of potentially private data, this practice is almost always considered legitimate and is becoming more common in our data-driven world. A 2018 survey from the American Management Association, for example, found that 78% of major companies monitor employees’ use of the internet, email, or phone, up from 35% of companies 20 years ago.
We can understand, though, how this scenario can feel like something that should be reported. After all, HR industry research shows as much as 40% of employee internet use is not work related, so it stands to reason that some personal, non-work related data could get scooped up by an employer’s monitoring tools. As headlines describing the latest cyberthreat or data breach continue to roll past our news feeds, hesitancy at the thought of any sort of data monitoring is not hard to understand.
Still, this statistic speaks to a larger issue with employee trust in corporate data policies. An Accenture report, for example, found that 64% of surveyed employees are concerned that data collected by their employers might be at risk of a breach.
Trust Through Training
So, the question becomes: How can employee trust be improved when it comes to information security? Turn to one of the most impactful ways you can interact with your employees: security and privacy awareness training.
As awareness training managers, part of our job should be instilling employee trust in the organization. How else can we expect employees to take the training we make them sit through seriously?
Awareness training is an opportunity to put your company’s commitment to cybersecurity and data privacy on display in a big way. Through training design and elements, it’s also a chance to show respect and trust in them. Here are some tips on working toward that goal.
Think of any time you’ve been told to follow some rule “just because.” “That’s just the way we do it,” may have been the rationale. Chances are that reasoning didn’t sit quite well with you. Without context, most directives like that are hard to swallow and less likely to be adhered to, no matter the reasoning behind them.
Though security and privacy awareness training should never be positioned as a laundry list of directives, that’s effectively what they are. The key is to be transparent about why these rules are to be followed and explain the potential impacts for all involved if they’re not. This applies to both company-specific polices and even seemingly self-evident elements, like why employees should be wary of phishing emails. Showing the why and not just the what allows employees to feel like part of the team and not just order takers.
If you choose to include simulated phishing emails as part of your training initiative, be transparent about this, too. Why tip them off to what is essentially a pop quiz? The goal of a phishing campaign is to provide employees with a safe, simulated environment where they can learn about what real phishing attempts look like in the wild. It shouldn’t feel like a “gotcha” moment, or an attempt to make your employees feel stupid. Alerting your employees beforehand supports the “part-of-the-team” mentality. A sense of responsibility to the team, as long as it’s reciprocated, is a step toward trust.
Your employees have way more going on in their workday than training on security and privacy best practices (or at least they should). Keep this in mind when crafting messaging for training deployment. Don’t be afraid to poke fun at the very training requirements it’s your job to implement. If you work to meet them where they are and show understanding that this training, while important, is one of many responsibilities they have, they’re more likely to feel respected and be more receptive.
Additionally, be prepared to acknowledge that the near constant vigilance needed to stay cybersecure is hard. This should show itself in the training and messaging you produce about the training. In the context of reporting potential security incidents, for example, stress that mistakes can happen and that the actions after a cyber-misstep are just as important as those that lead up to it. Your employees are humans, after all, and will appreciate being treated like more than un-erring cogs in a machine.
Side note: The “Be Realistic” concept should apply to your work as an awareness manager, too. Set realistic goals for the kind of behavior change you’re seeking through training. Understand that this change will not happen overnight and will take time to filter through your employee population.
Everyone likes options, even if both ultimately lead to the same outcome. Providing choices, or at least the illusion of choice, across your training initiative is a good way to keep employees engaged and show that you respect their intelligence.
We know from learning research that when you can engage people in considering options, making choices, having the ability to correct those choices, and getting immediate feedback, you increase their retention and thus the efficacy of the training. This can take many forms, such as following a decision tree that tracks the repercussions of a single action or a completely gamified approach that sees the employee taking a choose-your-own-adventure-style journey through content on security or privacy best practices.
This focus on providing choices can begin even before the core training does. A pre-test assigned before training can be used to gauge how much employees know about a given topic and used to remove content that will be boring to employees who already know the material.
Providing training in varied formats is another way to encourage choices. Though a core training experience should be required, employees can be given the option to interact with different supporting training materials, such as videos, posters, articles, and even games. This sort of thought and effort put into your employee training experience will help your employees see they’re in good hands.
Keep these points in mind when developing an awareness training initiative and you’ll be on the path toward improved employee trust.