Editor's Note: This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic Nudging Towards Security.
What is a touchpoint? A touch point is a point of contact or interaction. Be it any organization, the Information Security team has a lot of user touch points. A few examples are classroom presentations, brown bag sessions, town halls, computer based training, awareness emails, newsletters, security forums and meetings, Intranet microsites, webinars, posters and screensavers.
Why are touchpoints important? A touchpoint is an opportunity to strengthen the Infosec brand. It is an opportunity to influence behavior. If we are consistent in terms of communications (logos, themes, colors etc.) across all our touchpoints, people would start recalling Infosec more and it would ensure our messages stick. It will get us more attention and people will remember us more. Over time people would start associating with the Infosec brand and what it stands for. That’s what mere exposure effect is, a bias of our mind – the more users see a brand, the more they start remembering it, understanding it, associating with it and liking it. This could lead to more desirable behaviors.
Do you think you are already consistent across all user touch points? Think again! In many organizations, there are user touchpoints that don’t get the attention they deserve. The proxy block messages users see when they try to visit a blocked website, the pop-up block notifications when they try to plug-in an unauthorized device, the anti-virus alerts, the VPN login screens, Infosec service request forms and the incident alert emails notifications often fall in this category. These touchpoints give us a great opportunity to expand our brand’s presence, interact more with our users, add teachable moments and make an impact. So why ignore them?
How can we implement great messages at these touchpoints? Once you have identified all your touchpoints, work with the teams that manage these functions within the organization. If there is a dedicated team managing proxy, work with them to implement a user friendly block page that is also consistent with your brand. It can be a funny page or it can have a shocking fact. It can have a quiz or a game. It can have anything you want. Your designers can design these new pages and the coders can write the code for whatever you are thinking to put up on that page. If you have a third party managing it, work with them to get it done. Once done these avenues can be a lot more user friendly and an opportunity for us to nudge behaviors.
In some cases, you might have to work with external vendors and partners. They might have product limitations in terms of what you can customize and that is because user experience and branding has not been a key priority for many security companies for a long time. But if we can work with them, this can definitely change. Lastly, it would be really helpful to have your internal communications onboard when you begin this exercise. In case you would like to earlier the earlier posts, you can find them here –
- External email tagging to avoid phishing scams
- Reducing data leakage incidents due to employee mistakes
- One click report spam for quicker response
- Making security personal
Speaker Bio – Sahil leads the security awareness, training and culture change initiatives at Genpact. He is a B.Tech, MBA and has done courses on Social Psychology, Behavior Economics, marketing and branding. At present, he is helping Genpact information security team to look at the problem from a people perspective. He has also worked with other IT giants like Infosys and HCL Technologies in the past.