Calling Out Employee (Good) Behavior

If you’re strapped for time, as many IT managers are, here’s a simple, no-cost technique to reinforcing security culture in your workplace: Recognize those that are security-minded.

You can do this at the next company event, lunch-and-learn, or through a periodic newsletter or an e-mail blast meant specifically for this.  Call attention to those that have reported security incidents, phishing attempts, or asked for security guidance.  Present a certificate for the employee to display at his/her desk.

Recognize security-minded employees

It’s a recognition that rewards employees for a number of things, including:

  1. Reporting a phishing or vishing (voice phishing) attempt
  2. Reporting a potential security problem (such as finding a lost badge and turning it in)
  3. Verifying the need for physical access to a system by non-employees
  4. Asking for help when saving/sending large amounts of sensitive data

Recognition is an oft overlooked motivator, but it is actually a very powerful tool according to Daniel Pink, author of Drive.  In his book about motivation, Pink discusses how recognition is feedback which helps people with mastery, the sense of making progress.

Use the recognition announcement to also reinforce the idea of security as part of your culture.  Here’s an example:

“Today, the IT security team wants to recognize Mable for requesting help with transferring large amounts of sensitive employee data.  She realized that e-mailing it to the XYZ department was not an option because of our e-mail size limits.  She also understood that putting it on the company’s shared drive was also not the solution since all employees, not just the intended audience, would have been able to look at it.  Mable contacted the Help Desk, and we provided an encrypted USB flash drive solution.  Further, we assisted her in moving that sensitive information from her department to the correct recipients in XYZ.  Every week, the news relays a story of employee information being disclosed unintentionally.  Mable’s actions not only helped protect our organization from liability but also helped protect ALL OF YOUR private information.  Kudos to Mable.”

Mable will continue to be security-conscious because she’s appreciated.  Others who heard the story may have thought, “I didn’t know we shouldn’t put sensitive information on the shared drive!” or “I didn’t know that the IT team could help me move large amounts of data safely.”

If you’re not sure where to start, have your help desk begin keeping a record of certain security reports/questions by employees with the date and action.  Need a list of these behaviors?  Here they are:

  1. Reporting a phishing or vishing (voice phishing) attempt
  2. Turning in a lost employee ID/badge
  3. Turning in an unlabeled USB
  4. Turning in or securing unsecured sensitive data hard copies
  5. Reporting misconfiguration of internal websites
  6. Reporting suspected malware immediately
  7. Verifying the need for physical access to a system by non-employees
  8. Asking for help when needing to save/send large amounts of sensitive data
  9. Asking for security guidance
  10. Reporting accidental disclosures of information

Even when employees have made a mistake like clicking on a phishing link or infecting their computer, recognize that they reported the incident.  Notifying the help desk of mistakes should be reinforced because it helps with the mitigation effort.

So, remember this no-cost technique to reinforce security awareness and praise employees for supporting your organization’s security goals.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s