Barclays' ‘Think Privacy' campaign of a few years ago demonstrated a capability to bring awareness to staff on sensible information security practise.
The company has recently begun a new campaign to make staff aware of the consequences of unsecure actions. Talking to SC Magazine, Barclays' head of information risk management Stephen Bonner and Mark Logsdon director of information risk management explained that the new venture took them down some interesting alleyways.
The book ‘Consequences' is a collection of short stories, haikus and illustrations highlighting real-world cases of common information security themes, including social engineering, secure passwords and records management. The challenge, they said, was to bring these issues to a level that the average employee could understand and relate to.
The book contains short tales from notable writers and celebrities such as Ricky Gervais, Ben Goldacre and Roger McGough. The chapters vary in their depth and style in order to cover for different tastes and interests and each finishes with an after word on what the message was from it.
I asked Bonner and Logsdon how these writers came to be included in the book and involved with the project. Bonner said that all of the stories were written for the book apart from a podcast extract featuring Gervais and comedy partner Stephen Merchant, but ideas were left open to the writers to decide what they wanted to write about.
Logsdon said: “You can dip into it or take a piece like Goldacre's in 20 minutes, so the accessibility of it was crucial. You can read it at a time of your choosing too, we also have Kindle and other e-versions for other readers and audio podcasts that used various actors.
Following the Think Privacy campaign of 2008/9, Consequences has proved to be a slow-burning success for Barclays. Bonner said: “We have a clear distinction between our awareness and our training, everyone does training but the mindset for training and awareness is very different, so we don't mandate that they read this but find that they want to read this.
“There are important messages that we need employees to read that are vital to the success of the bank, our belief is that employees want to do the right thing but if we spark their imagination they will find innovative and safe ways to solve the problem. Once they understand the consequences they make the right decision, [we] do not treat employees like kids but you have to capture their imagination and understand that the way information is concentrated has changed the way it works.”
Logsdon agreed, claiming that he has a theory that a lot of this stuff is not new, as files have gone missing in the past and people have forgotten to dial ‘nine' on a fax or sent the wrong document, but what has changed in his mind is that it is easier to lose a lot more quickly.
“My frustration is we dress simple issues in sophisticated language; social engineering for most people means nothing. So we have tried to make the concepts simple, we made the language accessible and put them into a context that the user is not used to seeing. Everyone thinks the idea of the loss of data is a 21st century thing, we have taken it back to 1605. That helps the user understand it and we deliver it using multiple channels as one size doesn't fit all,” he said.
So far the company has seen over 500 podcasts downloaded by staff and most of the 5,000 print editions distributed, but Bonner admitted that this is not being used as a training or IT policy tool and instead is about the company trying to change people's behaviour.
He said: “If people understand it then in time we will see a change in incidents. That is the real measure and our core goal of this work. In a regulated industry, it is important to know that everyone knows what they should be doing but clearly we are responsible from taking knowing what they should be doing to actually doing it.
“One of the things we have always done is be willing to take risks, if the pictures we put up do not work then who cares? We are trying to work out things that haven't been done before and try things that work. We were not making a book for us; we were making it for our internal audience. It feels like you are reading a story and it resonates.”
Logsdon and Bonner admitted that before the year-long process began they knew nothing about making a book and the passage ‘was a journey for all of us'.
Barclays has laid down an effort of education with remarkable consequences. I read the book in around three hours and as an information security journalist, it is easy to see the themes emerge in the text, but what is interesting is how they would be understood by an individual not familiar with common information security terms.
The company is monitoring responses via surveys and admitted that it is challenging to know how many people are reading the book due to its pass-on readership, but a professional effort should produce professional results.