Editor’s note: Louisa Thistlethwaite is research quality manager at FlexMR, Lancaster, U.K. This is an edited version of a post that originally appeared here under the title, “Beyond cyber security: How to create an information security culture.”
With just under a year until the General Data Protection Regulation (GDPR) comes into force, can you say that the data held by your marketing research department or agency is secure? Or are you reading this thinking, “What is the GDPR?” Perhaps you sit somewhere in the middle.
To clarify, the GDPR imposes new requirements on organizations handling personal data and extends those of the current Data Protection Act. It is not this regulation specifically that I want to discuss today but rather the big picture challenge associated. The challenge that underlies the success of all insight business GDPR/information security policies: how to achieve an information security culture.
Cyber security vs. information security
Before we proceed it’s important to clarify what I mean by information security, particularly with respect to the marketing research industry. Information or data security is often assumed to be a cyber security issue. I have heard the terms used interchangeably when in fact, cyber security is a subset of information security. The Glossary of Key Information Security Terms – National Institute of Standards and Technology (NIST – U.S. Department of Commerce) – states:
Cyber security
The ability to protect or defend the use of cyberspace from cyberattacks.
Cyber attack
An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Information security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction to provide confidentiality, integrity and availability.
These NIST definitions demonstrate the holistic nature of information security and the reason that we must go beyond cyber security as marketing research practitioners. Ours is to protect all respondent and client data, be it held in cyberspace, in unconnected systems, via hard copy reports, even in the memories of employees.
An information security culture
While technology and the cyberspace certainly factor in the information security landscape of an information security culture, the most effective approach to information security practice comes from the interplay between technology, process and people.
You can have the best technological countermeasures imaginable but if your insight employees are poorly trained in your information security processes and/or don’t believe in its necessity you might as well not have bothered. Research itself has shown time and again that the human element is the weakest link in and leading cause of security related incidents.
With that in mind, here are my five top tips for creating an information security culture in your marketing research space.
1. Top-down leadership: Without doubt, strong and committed information security leadership is the key to cultural adoption. Employees take their cues from top management and the tone they set. When it comes to information security the top down message must be positive, sincere and focused on the business benefits. Avoid positioning its practice as a complication or inconvenience – unless of course you want your insight professionals to think this way too.
2. Corporate objectives: Including insight information security elements within your corporate objectives sends a clear message that security matters. Make related objectives specific and measurable and measure them regularly!
When defining your objectives, ensure that they are balanced. Never focus on the function of information security technology alone. Unless you work with IT, information security technology has little meaning. It is essentially invisible. A technological focus will lead researchers to rely on it, to think that it will do all the information security work for them. This is entirely the opposite of the message you are aiming for. Targets for attendance at training sessions, knowledge and best practice are much more inclusive. They encourage employee ownership and long-term cultural buy-in.
3. Creative training: For an information security culture to thrive, all insight department or agency members must be kept up to speed with information security policies. A program of awareness training is an essential component. To ensure that this translates positively I recommend adding context.
Information security training should always begin with a review of potential data threats. You can make these meaningful by personalizing them. Ask attendees to consider the information that other organizations hold about them, and to think about how they would want that information handled. Using real-world examples to demonstrate how their data and that of their family members should be protected as well as the impact on them if it isn’t will resonate to a much greater degree than simply providing a list of marketing research dos and don’ts. It brings in-house policies and processes to life.
And remember the format! Who says awareness training should be delivered lecture style? Vary it with workshops, role play and video clips to get the message across.
4. Security moments: Like most things, an information security culture takes time to establish. Your training program must be both continuous and frequent to be effective. People have short memories and limited attention spans, so don’t confine talking about security to formal training. Identify your key messages and look for ways to create security moments in the daily routine of all marketing research employees. Use posters, e-mails, newsletters, etc., to remind them of the value of information security and their obligations to it on a regular basis. Do confine your security moments to repeating these key messages. Save the introduction of new policies, processes or requirements for dedicated sessions to avoid dilution.
5. Carrot not stick: It can be tempting to resort to scare tactics when it comes to information security. A serious breach carries the potential for significant financial and reputational repercussions … scary stuff!
Clearly it is important to make insight professionals conscious, on a personal and organizational level, of the fall-out of not taking information security seriously. Doing so encourages accountability but take a measured approach. If you go too far you risk creating fear culture which can be counterproductive for several reasons.
- “It’s never going to happen.” Humans tend to shy away from the worst-case scenario and are likely to underestimate the probability of it occurring to them. This can lead to an, “it’s never going to happen” attitude, which undermines the perceived importance of information security.
- “What do I do now?” When people are scared, they tend to respond automatically, blindly and rigidly, following procedures without understanding why. The risk here comes when there is a deviation from the norm. Without understanding insight employees are unlikely to have the wherewithal to react appropriately.
- “Shushhh!” Fear encourages covert behavior. When things go wrong what can start out as an information security near miss can easily escalate into a serious incident if researchers are fearful of admitting mistakes and voicing their concerns.
Counter the fear culture by demonstrating consistent and fair reactions to insight information security issues. Be clear about your expectations of staff, identify the lessons learned from near-misses and use them to action change collaboratively.
Without being scary myself ... it has been estimated that 72 percent of businesses that suffer a major information security breach will shut down within 24 months. Initiating a positive information security culture within your insight department or agency is not only a significant enabler to achieving GDPR compliance but a pre-requisite to long-term stickiness’ and potentially survival.