How to create an effective data security communication plan

In today's global office, IT security leadership spends a great deal of time and resources creating a defense-in-depth approach to data security. This often includes layering on both logical and physical solutions as well as detailing out policies and procedures for accessing company data in a secure manner.

However, at the end of the day, this information is regularly being retrieved and used by the workforce at large and only including an overview on data security in an employee handbook won't guarantee that these records are kept safe.

[ 6 steps to win executive support for security awareness programs ]

There is a need to create value around company data and one way to do this is to ensure that the workforce knows and understands the threats that are out there and the measures that are in place to protect against them. The following are factors for companies to consider when creating an effective data security communication plan.

Target your audiences. Most companies have a diverse workforce with varied backgrounds and ages. The communication efforts that resonate with Millennials may not work for Baby Boomers. Try different types of communication to see what resonates most with these different audiences. Newsletters, announcements at staff meetings, reminders in break rooms and cafeterias, blog, vlogs, podcasts, screen savers displaying data security and privacy messages and even games can help disseminate the message.

IT security teams can also divide workers into those who will support company policies, procedures and best practices as well as those who may be a barrier to success. Targeted efforts with the latter will help to shift their priorities to include data privacy and security.

Provide Ongoing Education. Security and privacy trainings typically happen during the new hire process but it's important to not stop there. The first few weeks at a company are often overwhelming and jam-packed with information. To make sure that policies are being adhered to and best practices followed, follow up with six-month training courses and create a schedule of ongoing educational programming on data security. Try mixing in-person seminars and interactive training modules with online sessions for maximum effectiveness.

Make it Personal & Relatable. To the general workforce, data security may seem like an intangible thing. Utilize real-world examples and case studies to make policies and procedures -- as well as the consequences of not adhering to them - more real. Answer the questions "why should I care?" and "what's in it for me?" Talk to workers about how they uphold privacy in their personal lives and then help them transfer these tactics and values to their work lives.

Encourage a cultural change. Walk through any office space and you'll likely see employees displaying proprietary information or login credentials on device screens. This can lead to visual hacking - a low-tech method used to capture sensitive, confidential and private information for unauthorized use. You may also find confidential documents left in printer trays and encounter workers talking about sensitive topics in the hallway. In this situation, data privacy clearly isn't a central aspect of office culture.

IT security teams must work to create a self-policing organizational culture, where all employees buy into the importance of data security to the overall health and growth of the company. In the previous examples, employees should take confidential conversations into private locations and face screens toward the wall coupled with the use of privacy filters to protect confidential information.

Equip employees with a data security toolkit. Account for both high-tech and low-tech data security threats equipping both BYOD and company-issued devices with a data security toolkit. Take inventory of how and where these devices are being used and roll out security tools using a risk-based approach. Further remove the human factor by creating a process through which new company devices like laptops come pre-installed with data security software, privacy filters and laptop locks. Literature explaining how and why these measures were taken can reinforce security and privacy messaging.

Data security is not one size fits all, nor is a data security communication plan. Finding the ideal fit for any company may take trial and error, but an educated and mindful workforce will serve to support the mission of IT security teams tasked with keeping confidential information just that - confidential.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetdisaster recoveryapplicationssoftwareBusiness Continuity

More about Relatable

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Larry Ponemon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place