An SMB IT executive's job is a tough one: You need to guard the information castle against hostile invaders from outside the walls while also worrying about the people inside the organization leaving windows and doors open and sometimes outright inviting the hostile elements inside. From smartphones and crappy passwords, some IT pros would argue that their best efforts in data security can be easily undone by the new mobile app the guy in the mailroom downloads.
What's the answer to ensuring data security in a smaller enterprise, where the IT budget is sometimes lacking? If you say training, you're 100% wrong. Training works amazingly well until the minute that the employee walks out of the classroom. Even the most memorable and energetic trainer will not have a lasting effect on diminishing compliance. And data security documentation? Forget about it. Think about the documentation you got for the last appliance you purchased. Did you read it? Most people read a page or two until they get what they need and skip all of the warnings and legal stuff.
Let's face it: The second that it's easier to not comply with data security standards (or when those data security standards stand between the employee and something they want), there goes your adherence to the data security policy or process. Even the most cautious employee, who would never dream of risking data security, wouldn't think that downloading Candy Crush Saga might leave the network vulnerable to Trojans.
When I attend CIO events and talk with executives, they often mention prevention and restrictions as the way to data security compliance. We all know the saying about the carrot or the stick. If you use the stick too many times, your employees will either start to ignore you or worse, look for another job.
This is where the SMB IT executive can look to the Finnish government's prenatal program for inspiration. In Finland, the government provides a new baby kit to expectant mothers. Inside, there are clothing and supplies, and the box itself is a cradle for the new infant. In order to get the baby box, mothers need to sign up for prenatal care, which many people do because the box is stuff they'll need anyway. But consider the way that the Finnish government has reframed the event. Instead of threatening the umpteen different ways you might be harming your baby if you co-sleep, they provided an alternative, packaged with stuff you want. Instead of lecturing or public service announcements about proper prenatal care, the citizens were signing up voluntarily for prenatal care to make sure they got their baby boxes. The unexpected benefit for Finland was a dramatic decrease in national infant mortality.
But what do babies have to do with data security? This concept of bundling some treats and associating happiness with a desired behavior is psychological manipulation at its finest. The people even know they are being manipulated, but they don't really care because they're getting something they want in exchange.
Data security: Now with a prize inside!
This concept of attaching happiness with matters of extreme importance like data security can be extended to the SMB space without much cost or even loss of productivity. For instance, the White House is one area where losing a smartphone is literally a breach of national security. But former White House CIO Theresa Payton opted to move away from the former process, which involved a two-hour security briefing and dark threats of punitive actions that make being fired sound awesome.
Instead, she spun the issue of data security around and created a positive experience with what she called the "Happy Meal" data security briefing pack. Her briefing pack included a simple process for reporting a lost PDA or smartphone, the assurance that the employee wouldn't be fired or otherwise penalized for losing a device that risked national security, along with some White House branded tchotchkes. I mean, who doesn't want a White House sports bottle? I know I do.
Payton's experiment was a success: The average lost smartphone was reported in less than two hours, compared to almost a day prior to the Happy Meal pilot program. Employees could do away with the two-hour long security briefings and recapture some lost productivity time back into their day. And the unexpected benefit was that employees who hadn't yet received their security packet were actually calling up the CIO's office and asking for it. Can you imagine one of your employees actually calling up and asking for a security brief?
These kinds of initiatives don't cost a lot of money and certainly don't require a lot of new expensive technologies. SMBs have much at stake with intellectual property and loss of competitive advantage, and oftentimes, SMB employees are wearing five or six different hats. Strategic reframing of data security policies and processes is critical for doing more with less in small and medium businesses.
For more on data security, check out our data privacy story archive.
This was first published in June 2013