The combination of increasingly sophisticated cyber threats and the vast numbers of people working from home during this coronavirus era mean it has never been more critical to put people at the heart of keeping information safe.

Information is a core asset of most organisations, and employees, customers, clients, patients, regulators and other stakeholders all rely on them to protect it. The consequences of sensitive information getting into the wrong hands could be extremely damaging to any organisation’s reputation, its profitability or even its very existence.

Security must therefore be seen as a key business issue, not just an IT issue, particularly when 90% of cybersecurity breaches originate from human error. Security tooling can do a lot to protect an organisation, but colleague understanding is needed to best protect against and respond to attacks. While technology can prevent most attacks, humans can spot things that computers sometimes can’t. Employees are the key to reducing this risk.

Enabling colleagues to understand their roles, responsibilities and actions must involve internal communicators as key players. Working closely with IT, plus other departments including HR, Data and Compliance, the ultimate objective is to drive change throughout your organisation. A culture change is required to embed security awareness behaviours, but it won’t happen overnight. Identifying what behaviours need to change is the first step, followed by regular communication campaigns. Organisations need to provide consistent messaging around what the cyber security issues are and how colleagues can help, both vital elements in galvanising support and co-operation.

Colleagues may not be aware, for example, that most organisations are constantly under attack and that phishing is the number one way that hackers enter an organisation. They may not know how to spot a phishing email or even how and why they should report it. Using rewards, not sanctions, will ensure colleagues know that they won’t get into trouble for reporting a mistake or an incident and that they are, in fact, helping the organisation. You will need to address wider information security topics too, such as being careful with information in public spaces, not leaving papers lying around offices and using strong passwords.

You, as internal communicators, are an integral part of the solution if colleagues are to start adopting good security behaviours and recognise that these learnings apply to their home lives as well. You will also need to ensure that leaders in the business are actively and visibly supporting this change, a key factor in its success.

Information security is all about collective responsibility. Your people could be your organisation’s weakest link but, with effective communications, you can make them the first and last line of defence.