- Security TWENTY
- Women in Security
‘It’s OK to say’ is among the latest issues of advice procedure by the UK’s official Centre for the Protection of National Infrastructure (CPNI). It combines the light touch and important messages of the very best training material, writes Mark Rowe.
A worker, whether you know them slightly or they sit at the next desk to yours, slumped over their workspace, crumpled and not doing their work as well as they used to, or at all. Someone staying late and tapping away at their computer screen, when everyone else has gone home. Somebody piggy-backing on your access control pass at a turnstile or entrance gate, whether you know them well, slightly or not at all. Or someone tapping away at their desk on social media, or so you think, when they are not supposed to at all, maybe, or only within parameters, that you suspect are being broken. However, who wants to be a snitch or be regarded as one; or do you feel it’s your business to raise a concern, or you put it off for another day in the hope it stops or goes away. These are all human reactions, that explain an under-reporting or a lack of intervention by employees when counter-productive and/or unusual behaviours are observed in the workplace. Such behaviours have often been seen to be pre-cursors to insider activity or welfare issues, as ‘some of the most damaging acts are carried out by personnel in sensitive posts who are trusted by the organisation’, as CPNI points out. Hence its ‘It’s OK to say’ training programme and aids such as posters and reminder cards.
CPNI did work with companies in the field of critical national infrastructure (CNI) to hone its message, and the training aids to put on walls or show to staff. Previous CPNI documents and work, such as on motivation of guardforces at CNI sites, has been alert to psychology; that it’s difficult to keep feeling motivated when – if security is done well or not – nothing may happen, or appear to happen, which can make for boredom, or complacency. In other words, having all the bells and whistles of cyber and other technology, and in security terms CCTV, physical security such as fences and alarms, can easily be undone by ‘the human factor‘. ‘It’s OK to say’ (IOTS) addresses protective security by raising awareness of the importance of ‘speaking out in suspicious circumstances’, CPNI’s guidance document says.
With characteristic thoroughness and alertness to the need for context whether by site or sector of industry, the IOTS guidance speaks also of security culture – running an awareness programme can be counter-productive, if security comes across as too intrusive, or unethical, and doesn’t respect data protection and confidentiality when someone raises a concern. Significantly, the scenarios that IOTS raises are not only purely security – such as piggy-backing at points of access – but more general, welfare; such as the workmate who is unhappy, or stressed or in financial difficulties, maybe drinking and letting standards slip, who may be a danger to themselves and colleagues, and maybe a prey for fraudsters or hackers or the malicious generally. Likewise, CPNI well understands that it’s not enough to have the actual training material just so; you’ve got to get buy-in beforehand; and afterwards assess how it goes down well, and where it’s falling short, do something, and even if it’s succeeding, follow up.
As for the actual training, CPNI offers five underpinning principles to organisational behaviour change. The five Es are:
– Educate why;
– Enable how;
– Shape the Environment (whereby good security behaviour is the ‘norm’, and people have permission and feel confident to trust their instincts);
– Encourage the action; and
– Evaluate the impact.
Cases of insider damage to a workplace, whether IT sabotage, or leaking of data, or doing fraud, sometimes point to numerous opportunities when the site or company could have detected something wrong, or going wrong, but did not; and yet if something unexpected or unusual is detected, it has to be responded to proportionately (a nod to the Human Rights Act, and because something unusual may not prove to be a security threat, but just someone going through a rough patch), and in good time. While the IOTS and CPNI advice in general avoids mentioning specific cases, we can think of the most famous leaks – by Chelsea Manning and Edward Snowden – showing that the person doing it need not be a permanent staffer, but a contractor; and need not be a senior manager, but at any level that has access to systems or passwords.
As for gaining all-important buy-in, the document suggests work with HR (for IOTS being including at staff induction), any trade unions and any managers or help-desks that may have to be prepared to receive more reports, and corporate communications if training material ought to have the proper ‘branding’. If you’re encouraging people to ‘intervene’ when they see suspicious or unusual behaviour, it’s a matter of reducing barriers to intervening, CPNI suggest. Among other principles, reporting should be straightforward; and with multiple options – such as a confidential hotline, and by email or an intranet form. The guidance runs over what your policies and procedures ought to be with the information sent – such as: how long should information be kept on file? who has access? and what if someone chooses not to make a report, but informally mentions a concern? And do you send any, or what, feedback? If a concern amounts to a security risk, it may be too much of a risk to say much or anything; but too little feedback can be damaging. The document gives the scenario that someone sends a report by email and gets an automated reply that their mail will be looked at within 24 hours. If they hear nothing, and the suspicious behaviour continues, the one who reported may feel confused about what if anything to do next. They lose confidence in the process.
As for the all-important matter of what is a suspicious behaviour that the employer wants to hear about, the guidance significantly speaks in terms of employees trusting their instincts, an echo of the advice to the public about countering terrorism. As the document sets out, while a ‘what behaviours to look for’ list may be useful – if the trainers cannot define what’s to be looked out for, are employees going to be able to? – it may not, because if an unusual behaviour crops up taht is not on the list, staff may feel uneasy about speaking up.
How to measure results is the crux not only for all security management and other services, but for any sort of training. Here as in other training material, CPNI makes as good an attempt at any to answer. Measurement could be: the number of security breaches; staff turnover and absenteeism; costs incurred due to staff theft and damage; and customer trust or confidence. However, the document does go on to admit that ‘these should always be treated with caution’, as who can say if x happened because of the staff training – would it have happened anyway. CPNI at least is grappling with how to measure outcomes, so as to justify the resources spent.
The tone of IOTS, starting from its plain title, is just right, and is in a tradition of other brilliant official training. In the 1939-45 war, Tee Emm was a regular publication by the Royal Air Force, short for ‘training memorandum’. Articles and pictures alike put across safety messages. Pilot Officer Prune, pictured, was a long-running character, who did things wrong, and as a result ‘pranged’. Who can say how many men survived because they heeded the messages, and how many men would have, if only they had. As it’s the 21st century, the animation training material is not in back and white but has a yell0w guitar strumming cowboy with large moustache and tall orange hat. They are in the same tradition.
For the 21-page guidance document in full visit https://www.cpni.gov.uk/system/files/documents/25/a6/IOTS-Guidance-document.pdf.
For links to the overall IOTS programme visit https://www.cpni.gov.uk/its-ok-to-say-education-programme.
For further information on the materials or to share feedback, email [email protected]