Back when I was working as a defense contractor, there were times I felt like a hall monitor. When faced with a deviation from a security procedure, I was the person who would speak up and report it to the local security manager. If I saw a person I didn’t recognize roaming the halls, even if they had a visitor’s badge, I would ask them who they were, why they were there, and then would check with the security office about the visitors onsite, sometimes even escorting people down to the security office.

I sound like a stick in the mud, I know. So why did I do it? One, it was my responsibility, per security protocol, to speak up when I saw something unusual. And two, I’m aware of the consequences. It’s not hard to imagine that letting an unauthorized person roam around an area with confidential information could result in theft of that information.

But what about something as mundane as a sign-in log?

Once, I noticed people were only writing in dates on a certain manual log sheet, not the time of day as the sheet required. No big deal, right? Well, suppose an incident occurred. As part of an investigation, the timing of events is needed to piece together what happened and the potential impact. Without that key piece of data readily accessible (as a log sheet is meant to be a record), your investigation may have holes and be delayed. Considering consequences such as these, I feel pretty justified being “a stick in the mud.”

At Cyber Safe Workforce, when we provide weekly awareness tips to employees we also strive to include the “why” behind security controls and use policies. A lengthy, complex password is required because… regular password changes are mandated because… resisting the urge to click on every link sent to you by email is necessary because…

Understanding “The Why”

Here’s an example of what happens when procedures are ignored because consequences are not known, and it’s an example outside of security. In my community, glass is not part of the curbside single-stream recycling program, which causes some consternation among residents. “What do you mean I can’t put my glass in the bin? It all goes to the same facility as our neighboring municipality and THEY accept glass.” In fact, I know some folks who STILL put glass into their recycling bins, despite the clear labeling on top of the bin that says “NO GLASS.”

Digging into this, I went to my city’s recycling website. It said that glass is considered a contaminate. Um, okay. But that doesn’t explain why our neighboring municipality accepts glass. Does that mean they’re accepting contaminates? So, as a concerned citizen, I called the recycling department to get more information. When glass goes into the bin with the plastic, paper, and cardboard and it BREAKS into tiny pieces (perhaps during transport), the shards coat everything else in the vicinity. And THAT is the contamination which makes the other recyclables less, well, recyclable. Sometimes, all contaminated recyclables have to be thrown out. Naturally, if you’re trying to recycle as much as possible to put less waste into the landfills, this sounds devastating! Broken glass is also a work hazard for the folks who separate the recyclables at the recycling facility. The contamination rate of recycled commodities is important to companies coming to purchase the commodities for use. Less contamination, more appeal for buyers, equals more items truly recycled into new goods!

It all makes sense now. Unfortunately, that explanation doesn’t fit on a label on top of the recycle bin. Maybe they should add: “Help us reduce contamination to increase percentage of successfully recycled goods” and “Broken glass is a hazard for our workers.” And while we’re at it: “Plastic bags clog up our recycling equipment. Drop these off at your favorite grocery shop.”

Once people hear the WHY, they begin to grasp the necessity of policies, procedures, and controls. Back to the folks who continue to put glass into recycling bins in my city: “You know, our recycling contamination rate is 8% less than that of our neighboring city, so more of our recycled plastic, paper, and cardboard actually gets recycled. Let’s keep it up!” From a security standpoint, we might say, “Thanks to some attentive employees, we prevented two potential security mishaps this year!” This way, people feel like they are contributing to a greater good.

Are you doing enough to explain the “why” behind use policies and security controls in your workplace?