publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/192213
SECURITY AWARENESS TRAINING: IT'S NOT XXXX JUST A GOOD IDEA, IT'S A MANDATE Another important element in this phase is to share the business drivers behind the firm's security awareness efforts. Help employees understand that clients are demanding a change in order to protect their information. And, if there are financial risks associated with not changing, be honest with employees about those risks to help strengthen their understanding of why their involvement is so important. During this phase, you can also leverage eyecatching visuals like posters, screensavers or intranet banners to help raise awareness. INCREASING DESIRE Once employees see the importance of security awareness to the firm's business, you move on to the "desire" phase. In this phase, employees could ask the age-old question, "What's in it for me?" Up to this point, the awareness efforts will have focused on why security awareness is important to the firm and to clients. Provide information that gives lawyers and staff the personal motivation they need to change their behavior. One solution is to frame security awareness as having meaning for employees in their personal lives. For example, with the upcoming holiday season, you might share tips for avoiding online shopping scams or spotting phishing email messages pretending to be charitable solicitations. By giving employees valuable information that can help them personally, you build in them a desire to participate in behavior that carries over to the way they work. Research tells us that employees have a strong preference to hear from their direct supervisors how organizational changes might directly impact them. With this in mind, you might involve frontline managers in the desire phase of your change management efforts to conduct small group meetings with their employees, or, if there are standing departmental or practice group meetings, to allocate some time on the agenda to talk about security awareness in the context of how it impacts their team. Direct supervisors can also talk with employees about the practical implications of changing behavior and how those changes might impact day-to-day workflows within the group. PROVIDING KNOWLEDGE The most familiar phase of the change management process is probably the "knowledge" phase, where employees are provided with the skills and information they need to behave differently (aka the training phase). For this phase to succeed, it's important to provide information in several formats, such as e-learning, handouts and small group discussions where real-world scenarios are discussed and questions are answered. The key to successfully sharing knowledge to help people change their behavior is to make sure the information is clear and direct, and delivered in manageable "bites." Telling employees to "be safe" is vague and overwhelming in scope. Break down security awareness into single-issue messages, such as telling employees to use encrypted USB drives only, giving them a clear and specific message and a manageable change they can implement successfully.