Changing staff behaviour - Business Works

Changing staff behaviour

Martin Smith, Chairman

There is constant heart-searching and breast-beating going on at all levels about ways to improve the consistently low levels of staff compliance with the whole range of workplace regulation and legislation. Martin Smith, Chairman of The Security Company (International) Ltd, explains how effective communication is the answer.

Actually, employees want to follow the rules …

Some seek harsher sanctions for employees and employers who stray, others seek to toughen up the law or bring in niche laws for niche issues. Great swathes of gobbledygook policy are vomited up into the employee’s in-tray, accompanied by alarming descriptions of punishments for those who subsequently fail to comply. What is common to all of these discussions, is the frustration felt by all concerned – on the management side as well as the workforce - that good regulation introduced for good reasons for UK plc is not understood, not valued and therefore failing to bite.

But, in my experience, employees are very happy to follow “the rules”. My past twenty years have been spent convincing staff about the value of abiding by good security procedures in their everyday working (and, increasingly, their personal) lives with great and growing success. We find an enormous willingness to follow good practice. No employee wants to be the one who lets down the team, or causes their organization to appear in the Press as the latest to suffer a data security breach or online fraud. No-one wants to be the careless one who caused the accident that led to a colleague being hurt. Most of us value diversity and want to avoid discrimination, but are ignorant about our rights and responsibilities and therefore can be careless with the feelings of our co-workers. The vast majority of employees in any workforce are intelligent, honest, hardworking and sensible. They resent being dumped on from above and given responsibility for compliance without sensible help or advice to go with it. We find that, to win their support, all that seems to be necessary is to tell them what it is you want them to do in language they can understand, describe in simple terms how you want them to do it, and explain to them the benefits of compliance (the “What’s in it for me?” element). Add in a dash of measurement to check that your communications are working and the whole regulatory regime comes to life with a range of far-reaching and immediate benefits.

Good communication is key to compliance. We have more than enough rules already – let’s just start explaining them properly to everyone!

A realistic example – Data security

The recent data security breaches in the UK are simply higher-profile repeats of similar breaches that have surfaced with monotonous regularity over the past months and years. They are tragic in every sense. They needn’t have happened. Worse, they’ll happen again next week and the week after, and they’ll carry on happening. In every case, these breaches have been as the result of simple human error. The damage to the public’s confidence in the ability or enthusiasm of any organisation – public or private, large or small - to protect personal and financial data is almost beyond repair. This insidious lack of trust is percolating into every aspect of our personal and professional lives. At the same time, financial losses due to cybercrime continue to grow. Credit card fraud is rife, identity theft is endemic, and social engineering continues unabated.

There are few grounds for pointing blame at the headline organisations. There, but for the grace of everyman’s God, go the rest of us. The underlying problem is the way the security industry has traditionally approached data security and e-fraud prevention. It seems to be almost every day now that the evidence of failure stares out from the newspaper headlines with examples of harmful data security breaches and online crime. Despite the vast sums of money spent, IT systems at all levels and within most organisations remain inherently vulnerable to even the most basic of security weaknesses and vulnerabilities because we have focussed almost entirely on the technology. We have not attended in any way to the most fragile element of the defensive regime – our people. We insist on developing increasingly-complex technical solutions for increasingly obscure and irrelevant problems. We focus on brain surgery whilst the patient dies of the common cold.

Awareness is the oil that will make security management and fraud prevention systems run smoothly. We must harness the support and assistance of every one of our employees and our customers. We must explain to each of them in a language that is both relevant and understandable the risks inherent in the modern information society. We must tell them exactly what is required of them in their everyday behaviour in order to handle sensitive information in all its forms in a safe and secure manner. Unless we do this, our e-crime defences will never be complete. My assertion is that exactly the same applies to all other disciplines and all other workplace legislation and regulation.

People want to learn

“Managers have the ability to turn information into meaning and ensure understanding via conversation” Quirke (2000).

We hear so much in the media about terrorism, violent crime, ID theft and exploitation on the Internet, that people actually ‘want to learn’ about how they can protect themselves and their families from becoming victims. This creates an ideal opportunity to engage employees with security awareness, providing them with not only the key rules for the organisation, but advice for them personally.

Pound for pound, raising awareness amongst employees will do far more to improve security than any technical solution can ever hope to achieve. Yet again, I maintain that the same applies to all other legislation, regulation and other disciplines.

The benefits

“It is essential with any audience to find the language they understand, pitch the message at their level and give them time to digest it” McFarlan (2003).

A security-aware workforce will provide:

  • appropriate protection for all of an organisation’s assets in a cost-effective and efficient manner;
  • an environment where all staff members are committed to the protection of an organisation’s assets;
  • competitive advantage, improved customer service and an enhanced market image as a result of an organisation’s recognised commitment to security;
  • measurement and compliance techniques to ensure losses resulting from breaches of security can be identified and continue to be reduced over time.
Generally, the first line of defence, employees, can quickly identify a potential breach or a weak link. Just as importantly, security-aware employees can prevent and lower the impacts of incidents when they do occur. And, once more, I would argue that the same applies to all other disciplines and workplace legislation and regulation.

Communicating effectively with staff and changing their behaviour

“To be noticed, communication must contain something that interests the recipient; to change behaviour, it must touch one of their values” Larkin & Larkin (1994).

Communicating with staff
Many years of research into successful communication techniques have revealed three main factors that increase the likelihood of behavioural change occurring – corporate culture, individual personality and a person’s motivation. Behavioural change is most likely to be achieved when our communication touches an employee’s behavioural influencers.

Too often we aim to train individuals and turn them into security, or Health and Safety, or Diversity, or Employment Law, or “whatever” experts. Employees will switch off because our communications are too detailed, too technical and too time-consuming to digest or, worst of all, not relevant to them. Employees will sniff out from a great distance any attempt by management to pass the buck – “we’ve sent you the policy, now it’s your fault if you fail to comply”. Such a tactic only increases resentment and reduces any chance of staff cooperation.

Employees across any organisation should be able to say, ‘I am not a (fill in the space) expert, but I know why (fill in the space) is important, I know the top 10 behaviours I should be exhibiting and I know where I can go to find out more as and when I need to’. Our efforts need to be focussed on achieving such a state of affairs across the whole range of legislated topics. Anything else is merely adding to the confusion.

For more information, please contact Martin Smith, Chairman of The Security Company (International) Ltd t: 01234 708456

Tweet article
BW on TwitterBW RSS feed