Sponsored by LPM Media Group
Profit protection goals are achievable when everybody thinks about and reacts to security threats, but are nearly impossible to attain if security rarely crosses their minds. This fact puts a lot of pressure on the security education of staff; i.e., how well you plan it, how effectively it’s conducted, and how much of it sticks.
It’s not something that retailers like to think about. That for all our strategies, investment, and technology to prevent data breaches, success may still depend on the actions and attitudes of front-line workers. Companies must segment networks, harden devices, test thoroughly, and work tirelessly to keep current with the latest mutation in network threats—but that alone won’t shield critical information from cyber crooks. Data is only safe if the people with legitimate access to it support the effort. While policies and technology can control access, each employee represents a door to an organization’s information assets and many are unlocked.
Even the most casual of Internet searches reveals the stakes. In June, for example, Noodles & Company joined a growing list of restaurant chains reporting a data breach when it said it was investigating the discovery of malware on its systems that may have compromised cardholder names, card numbers, expiration dates, and CVV numbers. The likely culprit? Cyber thieves using social engineering to remotely install malicious software on the retailer’s systems.
“The first line of defense is in-store associates, and the training and understanding and responsibilities necessary to protect those assets,” said Rich Noguera, head of information security, Gap Inc., in a panel discussion by the Retail Industry Leaders Association in 2014 on data security threats to the retail industry. “Especially when you add in additional capabilities at POS, it becomes even more critical. So, the in-store associate is our best defense here.”
It is perhaps because general employee attitudes are out the immediate control of loss prevention/asset protection and company leaders that the impact that they have on the organization’s security posture is often overlooked. In the 2015 Black Hat IT security conference survey, for example, 46 percent of attendees said social engineering attacks was their top concern but that they spend little time addressing that risk. “We get so caught up in trying to protect things that we forget that the real insider threat is people just doing stupid things, like misclassifying information, opening something they shouldn’t, and so on,” said Robert Rogalski, Director, Corporate Security & Safety at RAND Corporation. Which is why he believes that a primary security mission must be “to inculcate a culture of doing the right things.”
But How Do You Do It?
How do you drive data security awareness down to the store associate level? “It’s really about marketing,” says Karen Rondeau, vice president of creative services with LPM Media Group, who has since 2004 helped major retailers create, promote, and manage internal communication programs.
Rondeau and other experts shared some of the elements of an effective cyber security marketing campaign.
First, formalize your program or campaign by giving it a goal, developing strategies to meet it, and measuring its effectiveness. The aim: Use a multi-faceted approach to continuously raise data security consciousness on successive occasions within a carefully orchestrated campaign. Strategic planning won’t raise the cost of your security awareness program and will make it more effective.
Rondeau suggested that including data security tips within a broader loss prevention campaign is a good idea but that, if possible, an awareness campaign directly targeting cyber risk may work even better. “The more specific you are in an awareness program, the easier it is to tell if it’s effective and easier to focus your message,” she said.
The “packaging” that your data security message comes in also matters. The key—and it’s as true for millenials as every other group—is to “address the ‘what’s in for me’ factor,” said Rondeau. Associates need to recognize how data security breaches can impact the company, its reputation, and profits. And, in turn, the hours, wages, and raises that store associates receive. Also, making employees more resilient to malicious links at work is knowledge that will also help protect them in their personal online communications, and safeguard their own personal data, a benefit that an awareness program should highlight.
Cyber awareness programs can falter by being strictly factual, say some experts. Also appealing to workers’ emotions and imagination will help inspire a commitment to security that is longer lasting. Even the language that an awareness campaign uses can have an effect; for example, instead of focusing on reducing failure rates, LP should emphasize improvements in “success rates.”
To enhance retention, try identifying for your audience what’s driving your cyber security awareness effort. Digging up examples to explain the relevance of security awareness training used to be a chore, but Google makes it easy. By collecting relevant real-world examples of incidents and consequences, you can address the first thought that every associate has when given a list of rules they’re supposed to follow, which is “why?” Accompany data security requirements or guidelines with a rationale for why it exists. Also, use your own company’s horror stories as a teaching tool. Highlight a malicious link someone received and explain how a mistake in handling it could have resulted in big company losses.
The most effective awareness campaigns recognize that not everyone is the same and that people learn differently. An awareness program can take that into account by using a variety of outreach materials that include verbal briefings, print/reading materials, and visual reminders. As often as possible, programs should combine learning materials—for example, a data security talk should include written handouts. (Some possible communication avenues: new hire orientations, e-mail communications, computer-based training, newsletters, Web page alerts, internal meetings, classroom instruction, posters/banners, lunch-and-learn sessions, videos, and screensavers.)
To select the most appropriate materials, Rondeau said it’s important to pragmatically assess your audience. Ask: What type of materials will resonate with them? How will information be delivered in such a way that they will understand it? What platform will keep them the most engaged? How often do they need to receive information? Will they require incentives to keep them interested? Will the message need to be in a language other than English in certain regions? Audience engagement and the campaign’s credibility will largely depend on how accurately you answer such questions, says Rondeau.
A detailed audience assessment will also inform you of the specific data security lessons you need to impart, which will depend on access to systems, data, and the threats to which staff are exposed. It’s a critical step, because instructing staff on issues that aren’t relevant can sabotage even the applicable aspects of an awareness campaign. To gain clarity on a program’s direction, Rondeau said to consider conducting a simple 5-question survey and/or a few focus groups. (Bonus: the very process of surveying workers’ to gain insight about their level of data security awareness will, by itself, improve awareness.)
All associates need to be reminded of basic data security tips, says Rondeau, such as not sharing customer information, not giving out information over the phone, and not clicking on unknown links or attachments in emails. It may also help to raise workers’ vigilance by educating them on social engineering, what it is, how to spot it, how to prevent it, to whom they need to report it, and tricks social engineers use, such as creating a sense of urgency to get workers to quickly comply with a request. Staff may also benefit from a reminder on specific procedures to follow in the event someone approaches them seeking access (of any kind) and guidelines on information that employees should not disclose with individuals outside the company. Simulation resistance training may be appropriate for personnel who work in critical, customer-facing positions with access to personally identifiable information.
Awareness programs are a vital part of a retailer’s holistic approach to cyber security. Until an employee develops a strong sense of responsibility for security and has the confidence to challenge others on issues of security procedure, a worker’s natural desire to be cooperative will always leave them extremely vulnerable to social engineering. Even at retailers with robust policies and security technology, the human element may be a weak link that cyber thieves can target. When workers are vulnerable to attack, research indicates that failure typically boils down to two issues that are a prerequisite for security: know-how and attitude. Workers who don’t fully understand what is necessary to protect information and don’t put a priority on protecting it represent a real risk to a retailer’s systems and data.