Once you have read my article, you will have a good idea of how to approach your compliance awareness campaign. You will get concrete advice on choosing topics, forming alliances, and how to measure how well your campaign worked.
Compliance is hardly known for being the world's most interesting topic. In the eyes of many, it is time-consuming, limiting, and boring.
A run-down car can get purple fringe tail lights, 30-inch fins, and a Palomino dashboard - and become Greased Lightnin'. Similarly, you can give compliance a makeover in order to make the topic more accessible, relevant, and exciting.
This is what you do:
- Get the support of the management
- Choose the right topics
- Meet people where they are
The support of management
You must first and foremost ensure the involvement of the management. There are two reasons for this:
For one thing, the employees should hear from the management why compliance is important. The message then carries more weight.
For another thing, awareness campaigns are not free. They cost the organization time. You will only get the resources you need if you make it clear to the management as to why you need a compliance awareness campaign. If a compliance audit has resulted in findings and recommendations or if you need to follow ISO 27001/2, NIS2, or any other standards, you will have a compelling argument. Awareness is a requirement set out in ISO 27001 and ISO 27002, so there is no way around this. A focus on compliance can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.
Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you to reach out to the employees in a language they understand.
Choose the right topics
With the backing of your new allies, you should now figure out the areas on which your awareness campaign should focus. There are many topics from which to choose, some heavier than others, and unnecessary information needs to be removed.
Consider the problems you have experienced based on the ignorance of users. A few examples may be:
- Guests to the company are not registered when they arrive and they walk around without access cards.
- Documents with confidential information are lying around in an unlocked room.
- Sensitive personal information is not sent through secure email (encrypted).
If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and what they are unsure of. You can also consider whether you recently began to use new systems or carry out tasks in a new manner. Have the employees become familiar with this or are there many mistakes?
You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must make sure to use simple and powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often.
Meet people where they are
Now you need to go out and meet people where they are. The employees sit in front of their computers, they eat in the cafeteria and they go to Friday morning meetings. This is where you should meet them. One way to do this is by means of:
- Happenings - Little funny things that get people talking. This can involve small figures or other such things placed on the employees’ table, or by handing out chocolate bars in exchange for them agreeing never to share their passwords with anybody. The possibilities are limited only by your imagination and it does not even have to be especially expensive.
- Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
- Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
- Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why compliance is important.
- Morning meetings - If everyone is assembled for a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
- Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.
An employee awareness quiz can also show management that your awareness campaign has had an effect on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas in which you need to do more to train the employees.
So, can you make compliance interesting? You can at least come a long way when you make it accessible, relevant, and engaging.
There are many programs that can help you make quizzes. Our compliance platform for all Governance, Risk, and Compliance matters not only makes it possible for you to write your own questions and answers but also follows up on how many have been answered correctly. You also get an entire library of questions/answers concerning compliance from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001.
About the Author: Lone Forland is our product expert and offers instruction in awareness campaigns, among other topics. Lone Forland furthermore helps our customers get started with our GRC tool and serves as a liaison between customers and development.