A key aspect of IT and Information Security is the acceptance piece. People aren’t naturally good at this kind of security and generally see it as an annoyance and something they would rather not have to deal with.
Because of this, it is typical in organisations to send out regular security update emails – to help remind users of risks, threats, activities etc.
However it is often the case that these are deleted without even being read. This week’s question: How to write an email regarding IT Security that will be read, and not ignored by the end user? was asked by @makerofthings and generated quite a number of interesting responses, including:
- Provide a one line summary first, followed by a longer explanation for those who need it
- Provide a series of options to answer – those who fail to answer at all can be chased
- Tie in reading and responding to disciplinary procedures – a little bit confrontational here, but can work for items such as mandatory annual updates (I know various organisations do this for Money Laundering awareness etc)
- Using colours – either for the severity of the notice, or to indicate required action by the user
- Vary the communications method – email, corporate website, meeting invite etc
- Don’t send daily update messages – only send important, actionable notices
- Choose whose mailbox should send these messages – if it is critical everyone reads it, perhaps it should come from the FD or CEO, or the individual’s line manager
- Be personal, where relevant – users who receive a few hundred emails a day will happily filter or delete boring ones, or those too full of corporate-speak. Impress upon users how it is relevant to them
- Add “Action Required” in the subject
It is generally agreed that if it isn’t interesting it will be deleted. If there are too many ‘security’ emails, they’ll get deleted. In general, unless you can grab the audience’s attention, the message will fail.
Having said that, another take on it is – do you need to send all these security emails to your users? For example, should they be getting antivirus updates or patch downtime info in an email every week?
Can users do anything about antivirus, or should that be entirely the responsibility of IT or Ops? And wouldn’t a fixed patch downtime each week that is listed on the internal website make less of an impact on users?
Thinking around the common weak points in security – such as users – for most actions can make much more impact when you actually do need the users to carry out an action.
Associated questions and answers you should probably read: