Focus on behaviour
While the awareness and attitude of employees to information security – how they feel about the subject – will help influence culture change, their behaviour is arguably the single most important factor. Without change in actions, you can have no guarantee that your business is more secure.
The reasons employees don’t act in accordance with your advice is usually influenced by a range of things. They might be forgetting. What you’re asking might be too difficult. Or there might just not be enough pressure, either directly or socially, to make them want to do what you’re asking.
We use a range of techniques to help nudge the behaviour of your employees in the right direction. We often rely on guerrilla activity – techniques that help to remind, prompt and surprise employees into making good decisions – to push behaviour in the right direction. You can have a look here. Going Guerrilla.
And it’s all backed up by sound theory, of course. We work with a range of behaviour change experts to ensure that the recommendations we’re making are theoretically sound – so we can add the brilliant art to the science.
ISO 27001 7.2: Persons doing work under the organisation’s control shall be aware of their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance.