Will you de-risk your business by ‘nudging’ employees to adopt safer behaviour?
A report published this week (The Worldcom Confidence Index) shows that CEOs around the world think that the #1 threat to achieving plans is legislative change like GDPR and the #3 threat is cybercrime. The report also shows that employees are set to receive much more attention from their leaders. In the UK, the number of leaders planning to give employees most attention (out of all audiences) increased 108% from 2017! This may be because the #2 threat to plans is seen as a lack of available talent. But I think it also reflects the fact that employees have a pivotal role to play in protecting businesses against the #1 and #3 threats. Take GDPR, which affects any company communicating with an EU citizen. It is a good example of a legislative change that requires employees to change their behaviour. The penalties for non-compliance are existence-threatening for businesses so it makes sense to make sure that employees not only understand what is required but also adopt compliant practices.
The Cisco 2017 Midyear Cybersecurity Report predicted new ‘Destruction of Service’ attacks, and that the scale and impact of threats will continue to grow. The report said that security effectiveness starts with closing the obvious gaps and making security a business priority. Patrick Müller at Sophos agrees: “Technology can only protect you so far in the war against cyber crime. We believe it’s essential that every organization is proactive in educating its employees about safer cyber practices. This needs to be a continuous activity as cybercriminals are constantly innovating to find new ways to breach our defences.”
Employees are recognised as one of the main conduits used by cybercriminals to breach an organisation’s defences. And, just like failing to comply with GDPR, suffering a cyber breach can be existence-threatening.
So how do you get employees to change their behaviour when issues like data protection and cyber protection may not be high on the daily agenda?
I think we should look to a combination of nudge theory and Robert Cialdini’s six laws of persuasion. Nudge theory, developed by Nobel prize winner Richard Thaler, has been adopted by governments to encourage citizens to change their behaviour. It marked a shift from trying to drive behaviour through the threat of penalties, to encourage people to make decisions that are in their self-interest instead. And, at the heart of its success is a communications approach that makes it very easy for them to take a certain decision.
Organ donation is one example of where simplifying decisions has worked well. Unlike the UK, Spain operates an opt-out system, which means citizens are automatically registered for organ donation unless they choose not to be. The Spanish opt-out system has helped Spain become a world leader in organ donation.
Image courtesy of the London Health Sciences Centre
But issues like cyber security and GDPR are somewhat different. To be safe it needs many different decisions to be made. So, it will require an internal communications programme that is specifically designed to make these decisions easier – and then reinforce them. And that’s where Cialdini comes in.
Provide employees with social proof to become GDPR compliant and cyber-safe
Cialdini’s work makes it clear that we all use ‘shortcuts’ to help us make decisions. For example, if we see other people like us making a certain decision, it’s enough to trigger us to make the same decision too. Cialdini calls this social proof and I believe it should be the foundation of a nudge campaign for employees to become GDPR compliant and cyber-safe.
But you don’t need to stop there. Another Cialdini ‘shortcut’ is what he calls the law of commitment and consistency. Charities have become very effective at combining this with simple ‘nudges’ to create very successful campaigns. I like to call it the law of small steps because it’s all about making small steps towards an endgame rather than trying to get people to get there in one big leap. For example, if a charity invited you to go on a big march in aid of a cause, such as eradicating landmines, you might decide not to because it feels like a big decision (a big leap). But if they ask you to do something very simple, such as tick a box to confirm you think all governments should outlaw landmines, you’re much more likely to take that simple action. By doing that, you have made a mental commitment to eradicating landmines. And having made such a commitment, if the charity asked you to take another step to eradicate landmines, such as send a letter to your MP, it would be entirely consistent with your commitment to do so. A few steps later you might just find yourself holding a placard on that march!
So, if you want to de-risk your business when it comes to GDPR and cyber crime, a little social proof and commitment and consistency can nudge your employees in the right direction.