Introducing new security measures successfully

5 September 2022

Checklist: how to implement new security measures effectively?

Implementing new measures to increase cyber resilience has become a natural part of corporate culture in almost every organization.

This blog is meant to help you along with the appropriate implementation of new measures. Appropriate for your organization, for your employees and for the purpose of the intervention. Think of it as a checklist for the successful implementation of new measures.

AWAREWAYS checklist ✔️

A blog post about a checklist is not complete without an actual list of items that you can tick off.
So let’s just start there. You can find additional context for every item further down the page.

  1. Communication
    Don’t just throw the new approach over the fence, but start a conversation with your employees
  2. Explanations and tools
    Explain why and how new measures will be implemented
  3. Put yourself in the shoes of the end user
    Make sure every user has the necessary information and knowledge to get started with the new measures
  4. Reciprocity (quid pro quo)
    show people what the benefit and result of their behavioural change is
  5. Don’t forget ease of use
    A user-friendly tool ensures less resistance and a more effective implementation
  6. Don’t forget to invest in time
    Take the time to draw up a well thought out plan, think also of a preliminary phase

1. Communication

Effectively influencing behavior requires more than just providing information. In other words, don’t just obligate new measures for cyber security, but have an actual, meaningful conversation with your employees.

Take the time to introduce the new approach, make an overall plan and involve the right department(s) such as marketing, communication and HR. These departments have the right skills to get the message and the importance of the policy across properly. Therefore, make use of them. A dry change in policy, introduced overnight, is doomed to be taken merely into consideration, not into effect.

2. Proper explanation

When communicating new measures, it is important to emphasize not only the when, but also the how and why of a change. If you don’t take the organization by the hand in this, the measure will become just an annoying obligation.

Also show that you are investing in the workability of a new measure. A really good campaign is about much more than just behaviour that people should or should not display. Because people will also have to be convinced that the information is relevant. And several buttons will have to be turned before people are actually prepared to exhibit that behavior, especially in light of all the other priorities in a daily workday. That’s why, once again, one component is crucial in campaigns: communication.

Emphasizing the relevance of a new measure is only successful if it is communicated in a recognizable and unambiguous way. Therefore, ask the questions: what does measure X mean for the end user; why is it good that we are introducing it (now); why is it so important for the organization? But also: what does the end user really need to know about it? This is a nice bridge to the next point in the checklist.

3. Put yourself in the end user’s shoes

Don’t assume that awareness of a threat will lead to protective measures. Adequate explanation is key to any (desired) behavioral change. Awareness can be achieved through good knowledge sharing – but if you don’t understand something, or can’t, then exhibiting the desired behavior will obviously stop. It is essential to put yourself in the shoes of the end user; who is actually going to use measure X or security layer Y, and what does that person need to know about it?

It is an easy mistake to assume that your audience already knows about the how and why of cyber security and is well versed in the necessary background information, simply because you as a CISO or IT manager are. For most employees in the average organisation, however, 2-factor authentication or ‘2FA’ is not an established concept at all, let alone that the abbreviation is known across the board. Therefore, include this starting point in the communication of a new measure; what does the target group already know, and what needs to still be addressed?

4. Reciprocity

The effective teaching of new skills can lead to the prevention of risky actions and the promotion of safe behavior. At the same time, there is a wide debate about awareness-raising campaigns. In many cases they require a great deal of effort and skill from the target group, while the measures do not produce immediate results. In this, the concept of reciprocity plays an important role.

Reciprocity is the mechanism whereby for a positive contribution you also get something positive in return. It basically boils down to “one good turn deserves another”. If you are asked to adjust your behavior and work differently, but the organization does not take you into account, the threshold for acceptance is higher. If employees see that it is useful, and the organization shows that effort is being made to change things, there is a better balance between investing and delivering. The intention to do it right becomes greater.

Every new IT implementation is an awareness opportunity and a means to properly articulate the usefulness and necessity. Therefore, use the new measure as a learning opportunity and do not approach it as a mandatory obstacle, but as a suitable opportunity to start the conversation with your employees about the importance of information security in general and this measure in particular.

5. Don’t forget about ease of use

Ease of use plays a major role in securing accounts and systems. An authentication method that is not user-friendly ensures that end users will look for alternatives and possibly still bypass the security measure. This reduces the effectiveness of the implemented security measure.

A new intervention is usually seen as an obstacle and may surely be named as such, but rather focus on the positive instead: the added value for the (information) security of the organization.

In other words, the fact that it is sometimes complex does not need to be trivialized. The perceived obstacles are there, so feel free to address them. ‘Yes, it’s difficult for a while, but it makes the organization significantly safer’. In practice, new measures usually do not adequately accompany the obstacles with an explanation of their benefits, which is a pitfall. Learning to work with something makes it easier, especially if the benefits have been made clear to you.


6. Invest in time too

Information security campaigns are not dependent on budgets alone, but also benefit enormously from a well thought out plan, the proper communication and sufficient investment of time. Especially the last variable plays a decisive role in the success of cybersecurity policies.

No financial impulse from management is sufficient if it does not go hand in hand with practical means to influence and – permanently – change behavior. Therefore, also think about a preliminary process (for example: from temptation to obligation), where you work with a step before the introduction of a new measure.

Finally, the above is probably more of a list of tips and advice than a checklist, but remember: if you can’t check the boxes of the previous steps here, then implementation of the measure in question is going to be a very tough sell. So use it as a means of testing the chances of success of a measure or campaign.

The next step: AWAREWAYS

Information awareness is an important first step, but security measures such as implementing two-factor authentication as an extra lock on your account do not guarantee one hundred percent digital security. Nor can it, the internet is – fortunately – not fenced off and cybersecurity is not a silver bullet that protects it all. Information security does not require a single solution, but a 360-degree approach.

This is certainly true in a modern business environment, where the risks, the chance of coming into contact with them and the potential consequences are much greater. The technology, the employees, the organization and the procedures: everything must therefore be measured against the same yardstick.

How is the level of security awareness in your organization?

Would you like to know more about our vision or approach or are you interested in discussing what we can do for your organization? Please feel free to contact us!