2020 has been a year like no other. If we’ve been hoping for a universal push towards digital innovation, we got one. But at what cost?
The rise of remote working has accelerated online collaboration. But a relentless pace, combined with the blurred lines of work and home has left us vulnerable when it comes to risk.
And it’s not just us working hard remotely. Scammers are too. As spam and phishing increases, the unmonitored variables of each and every employee’s remote workplace presents a huge challenge for our IT teams.
So, what part do we, as internal communicators, play? How can we use our knowledge of our audiences to help bridge the gap between IT and the wider organisation? And, as we look ahead to more months of remote working, how can we tell compelling stories that help everyone understand their role in keeping us all safe?
We‘re delighted to be joined for this session by:
02:22 Introduction to the panel, their roles and how they got involved with cyber security
07:55 Why should IC teams have cyber security on their radar? Isn’t it more the IT team’s jurisdiction?
Matt: I think often both sides can see the other as being the blocker but the two have to meet, especially right now. The tech set up you have at home might have been a good sticking plaster at the start of lockdown, but it’s not right for the long term. People also need to understand the risks of working in a shared home – new challenges are emerging all the time. That’s where internal communications teams can bring their skills set to help IT plug the knowledge gaps.
Corinne: Our shift to longer term remote working has brought the issue to the fore. When I’ve run security campaigns in the past, one of the key messages has been that everything about handling passwords and data at work is equally important at home. Now, with the blurring of work and home life, that message is even more important. Scammers are out to take advantage and we’ve seen a lot of scams since the start of lockdown. This is an important time to help educate people about risk when examples or so visible.
Alison: We’ve seen a rapid acceleration of a lot of digital transformation projects which have been waiting in the wings for some time. I completely agree with Corrine – that ‘safe at work, safe at home message’, and the storytelling we do around that is where internal comms can really shine. At the beginning of lockdown, we were in a very functional role, helping people can set up from a practical point of view. Now, we need to look long term.
Tony: Where we used to swivel around to tell our colleagues about security issues, we’re now perhaps sharing that information in passing with partners at home who’ve become surrogate colleagues. That’s a big risk when it comes to data security. There probably isn’t a company guideline to say ‘don’t do that’ because we’ve never been in this situation before. This is a behavioural problem, not an IT problem, so what can we as communicators do to help our people understand the new way of working?
Corinne: There work to do around culture too. When it comes to encouraging people to report risk, they have to feel confident to do so. Are our cultures enabling or preventing responsible behaviour around risk?
15.49 Matt, you recently wrote in an article about shadow IT that you think one of the biggest contributors to risk right now is fatigue. Can you tell us about that?
Matt: So much of the work IT does is invisible, but it helps enable a productive and safe working environment for everyone, every day. When we packed up our laptops and began to work from home, the onus fell more on us as individuals to manage. Not everyone has the digital literacy to thrive in that situation. Initially, it seemed like a temporary fix and people pulled together. Now that’s changing and fatigue is setting in. Staying vigilant is hard when you’re worn out and IT aren’t there in the same way to protect you. More of the decisions you make as an individual, at home, present risks and now is an important time to reiterate and reinforce safety messaging.
Alison: As a standalone message, security can easy to ignore. One of the ways Internal comms can help with that is to weave it into other messaging. As we enter the fatigue zone, we can tap into other campaigns resonating right now, like wellbeing. For example, a message that encourages you to finish properly for the day, at a set time can include the step; ‘turn of your laptop and put it away in a drawer’. It supports the message of shutting off but automatically has a security message built in.
Corinne: If you’re a scientist, without having to think, you put on your goggles and coat when you enter the lab. We need to make good security practice behaviours the same. One of the things internal comms can do to help is by starting with the leaders in the organisation. By facilitating leader-led discussions or showing leaders doing the right thing can help reinforce the message.
Tony: Normalising stories about cyber security, particularly the times we don’t get it right, is important. Taking examples of when someone clicked on a phishing email and what happened as a result is a good way to demonstrate that these risks are serious, while also showing how the business dealt with the issue and worked with the employee to be safer going forward. It creates a more open culture around reporting risk.
Alison: I’m a big believer in positive psychology. Often, campaigns around security say, ‘don’t do this’ but I think it’s important to focus on enabling and empowering people to upskill.
27.32 A lot of businesses may be in a holding pattern right now, wondering whether to invest in more infrastructure. What do you think they should consider right now?
Tony: There’s a lot of talk about ‘when we get back to normal…’, as a way to excuse the use of shadow IT as temporary. But if your people are using WhatsApp to communicate, they’re going to continue to need a way to communicate for the foreseeable. So, what can we do to invest in bringing these platforms to life and support the behaviours in ways that don’t compromise our data security?
WhatsApp might not be the best tool for the job, it’s just what people are familiar with. Look at the behaviours of your employees and how they’re collaborating and consider the alternatives, like Teams, Slack or Workplace. Nine times out of 10, your organisation will already have an incumbent platform in place that can meet these needs, but isn’t’ being used. Kaizala, for example, is a WhatsApp-like tool available as part of the Office 365 suite that nobody seems to have heard of. Is it as sexy as WhatsApp? No Does it present a whole heap of risk to the organisation? Also, no.
Alison: Great information often comes out of IT and cyber security groups but it’s broadcast and doesn’t seek feedback. Internal comms can really add value there, particularly when it comes to Shadow IT, to help ask people around the business the gaps they’re experiencing and the unmet needs from a tech perspective to help co-create better solutions.
Matt: We often see people using a shadow IT to get a job done and when, finally, the cat is out of the bag about it, IT will say ‘we actually have a corporate account with them’. So, a host of safe and approved tools and benefits has been missed because there wasn’t’ a conversation to join the dots.
36.24 With remote working set to continue, how can we change attitudes from ‘this is temporary’ to a more ‘best practice’ mindset when bad habits have already set in?
Alison: People have been trying to directly map the way we used to work in the office to the way we work at home. All those coffee chats and spontaneous interactions don’t translate the same way. When it comes to collaboration, we’re not all in a room with a whiteboard. So were seeing a proliferation of tools trying to recreate that same experience. It’s important to recognise it’s not where you do your work, it’s how, that matters. Rather than thinking about ‘coping with lockdown’, it’s a shift to wellbeing, balance and looking after each other.
39.45 IC departments are under enormous pressure right now, juggling constantly changing messaging, as well as trying to deliver BAU. How do you think we can land and embed messages that encourage good practice around cyber security when there’s already so much else to focus on?
Corinne: As we mentioned, it’s about weaving the security message through everything. And, also, making it fun. Everything from gamification to quizzes can help bring the message to life. It’s also so important to understand the nuances of cultural differences in a global organisation to help tweak that message accordingly.
You have to be pragmatic and know you can’t do it all alone. Bringing cyber security champions on board to help reinforce the message can help.
42.16. How have your own attitudes to risk changed this year?
Tony: I’ve been remote working for 3 years now, so I have to think back! For me, it was a greater awareness of using my personal devices. I had to create separate presences to keep work and personal projects and life apart.
Matt: I’m finding myself very conscious about passwords, doing as much as I can personally to keep things secure from accounts to WIFI networks.
Corinne: For me, I’m keeping an eye on the new scams emerging. They’re getting more sophisticated all the time and I need to be aware of the trends.
Alison: I think it’s interesting to draw a comparison between attitudes to risk and the pandemic itself. When it began, we had all that messaging about washing your hands. You wouldn’t think you have to remind people to do something so fundamental, but it was critical. It’s the same with risk. I’m trying to present security messages the same as public health ones – a constant reminder of the things you need to incorporate into your daily life. We can’t prevent everything, but we can take precautions.