Tailor for audiences
One of the biggest, and usually overlooked reasons, for non-compliance amongst employees is related to relevance. Relevance, or lack of, usually comes in three guises:
The communication might not feel relevant to the business. This is usually the curse of the generic e-learning and off the shelf communication that could be for any organisation.
It might not be relevant to an employee’s role. Giving the same information security instruction to everyone in your organisation can be deadly. Asking someone in a factory to look at comms on office security will get you nowhere.
Then there’s the channel you use. If you put all communication out in the same place, there’s no guarantee everyone will see it. Once more, where you communicate needs to be considered in equal measure with how and what.
At blue goose, we make sure all our comms are bespoke – both for the business and for the individual.
It will only ever look and sound like ‘you’ and your business. One size will not fit all. And we will not expose anything to employees that isn’t relevant to their role. That means both the subject we talk about, but also the language, scenarios and channel.
ISO 27001 7.2.2: The awareness programme should be planned taking into consideration the employee’s role in the organisation… and where relevant, the organisations expectations of contractors.