CHELMSFORD BOROUGH COUNCIL UTILISE THE ‘GENERATING CHANGE THROUGH PEOPLE’ SERVICE TO IMPROVE STAFF AWARENESS OF DATA RISKS IN JUST FIVE DAYS
What a difference a week makes – Chelmsford City Council ‘Generating Change Through People’ Service to improve staff awareness of data risks in just five days.
MetaCompliance endorse Chelmsford CC for their innovative spin on the ‘Generating Change Through People’ Service during their Information Awareness Week (IA Week), which delivered serious and consistent policy teachings in a fun, engaging way. Popular TV shows were used as part of its strategy to create a culture that values information as a business asset.
In 2009 Chelmsford City Council (then Chelmsford Borough Council) commissioned MetaCompliance to ensure all users received accurate, consistent policy communication and awareness training.
By utilising the MetaCompliance Enforcement functionality the council have already reaped the many benefits of using automation to effectively disseminate policies to staff (see case study*). However, the Council have not yet achieved Level 5 of the HMG IA Maturity Model that it has been working towards.
What they needed was a more structured approach to changing user behaviour and ingraining data protection as a key responsibility in users minds. To establish the desired security culture within Chelmsford CC the Information Asset Owners (IAOs) highlighted that the area most in need of strengthening was the day to day awareness of staff. At an Information Management Group (IMG) meeting the IAO’s invented the idea of a week long training, education and awareness programme combining the newly developed MetaCompliance service ‘Generating Change Through People’.
The business case justifying the need for an IA week stated that:
* Poor information assurance leads to diseconomies, and can also lead to poor quality information which in turn can lead to poor decision making
* People are our greatest asset, but also our greatest risk
* An organisation has three key areas of focus – people, process and technology. A lot has been invested in the latter two – now it is time to invest in the former.
The reasons cited for holding the IA week included:
* Greater focus by Government standards on information assurance and security awareness – activities across this week would provide a massive step in the right direction
* IA week enables corporate Information Policies already published to be promoted
* IA week enables a clear and consistent message to all staff
* Information security and assurance can be seen as dry and dull – this approach would give a fresh feel to this area and further engage staff/users.
A dedicated IA team was formed to organise and run the event. One of the guiding principles when creating the format of the week was to deliver serious and consistent policy messages in a fun and engaging way. It was decided the week would include TV show themed games to provide familiarity and keynote talks with prizes to teach staff the fundamentals of information assurance. “The clever angle would be that each activity would look at learning from a personal and a professional perspective, showing that skills are transferrable and do not stop when you walk out the office at the end of the day,” Michael Read Information Manager, Chelmsford CC.
The Key to ‘Generating Change Through People’ is to deliver a programme of training, education and awareness. The IA team focused on four key strands:
1. Information assurance and security
2. Future technologies
3. Examples of best practice in services
4. Personal touch – skills to help in private and work life
The importance of the programme was underlined by senior level buy-in, namely Louise Goodwin, Director of Corporate Services and Senior Information Risk Owner (SIRO). The Council’s Management Team also endorsed the week, providing engagement at the most senior level. Commenting on this Michael Read Information Manager, Chelmsford CC said “this provided a top-down message on the importance of information security, which gave a great undertone to the week of events”.
IA WEEK PROGRAMME OF EVENTS BASED ON INFORMATION MATURITY MODEL
A programme of events, most based on well known TV shows, was devised. The week was based on the Information Maturity Model with each day designed to create greater understanding and awareness of the chosen topic.
Awareness Monday opened with the SIRO Welcome and Launch of E-learning via MetaCompliance. The first interactive event was a focus on the hot security topic of Mobile Devices and Bring Your Own Device in Game of Phones, followed by a look at the powers of data in Location Location Location and the first run of the CCTV special of Police Camera Action.
Reactive Tuesday started with the comic book take on security breaches in Dataman and SuperSIRO in Info City, before delving into transparency, open data and privacy legislation in I’m Council Data…get me out of heeeeeere! The afternoon features a special event looking at future technologies in Googlebox.
Proactive Wednesday saw the data security heroes battle in the second edition of Dataman and SuperSIRO in Info City before a second run of Police Camera Action. Information… the weakest link?: Informed and then quizzed attendees on the risks of information security.
Managed Thursday started again with part three of Dataman and SuperSIRO in Info City, before Dispose it Yourself SOS (DIY SOS). An external security expert dived into the dangers provided by cyber security in Big Brother, with the day closing on a look at the council’s Protective Marking Policy in Supermarking Sweep.
Optimised Friday began with the grand finale of Dataman and SuperSIRO in Info City. The morning saw a special edition of Masterdatamind which tested council officers on facts from the week. The afternoon showed the importance of secure destruction in Breaking Bad. The final event tasked all staff with meeting the Clear Desk Policy in How clean is your desk? with anyone non-compliant being greeted with an information assurance poster the following Monday!
The brochure that accompanied the IA Week held information on each event including date, time, location, host and, crucially, ‘how it can help me’.
As well as off site locations such as the CCTV control room and conference rooms, the IA week programme was also delivered directly to staff at their desktop PCs through MetaCompliance software and the Council’s intranet platform.
FULL PROMOTION AND INCENTIVES PLAN GOT STAFF BUY IN
The IA team started promoting the programme with a mention in the Chief Executive’s Roadshow in May 2014, 5 months before the event. The Super SIRO comic book hero was launched and the tone of adventure and entertainment was set.
Two months later, the IA Week featured in the Council’s Late Opening Internal Communication Sessions where details of the programme were released.
Nearer to the launch date of 22nd September other communication channels such as The Gem (internal newsletter) and screen wallpapers were used to promote the event. The IMG were provided with articles to distribute to ensure consistent messages reached staff from various sources.
The IA team paid particular attention in asking their fellow colleagues to help develop the programme of events. The Staff Forum provided invaluable insights into how to get employees’ attention.
Harnessing the creativity, imagination and enjoyment that was had when developing and refining the ideas ensured that staff had buy in prior to execution of IA Week, and senior managers had a say in the activities that took place.
In addition, an Information Assurance breakfast meeting was held the week before the event and was hosted by The National Archives. Other promotional activities that took place prior to the IA Week included the creation of a dedicated section on the Council’s intranet where information was available and bookings to training events could be made. This proved to be an invaluable tool for staff as the webpage received over 1500 views in the month leading up to the event.
Ensuring staff participated in this initiative was a key driver for the IA Team. In order to mitigate the risk of the project being a flop a number of steps were taken.
* Securing a partnership with MetaCompliance to help develop the ‘Generating Change Through People’ service
* Awarding prizes at each event u A loyalty card scheme where those who attended 3+ events entered a grand prize draw for a Tablet device
* The donation of a £50 voucher by Unison
WHAT DID PEOPLE LEARN FROM INFORMATION AWARENESS WEEK?
HOW WELL ATTENDED WERE THE IA WEEK EVENTS?
Attendance at the week:
* 38% of people attended three or more events to be entered into the raffle for the Tablet device.
* 93% of people completed the E-Learning course within the week, completing their ‘Silver’ status (category defines the level of training required by staff and ensures that it is relevant to their level of information responsibility).
HOW SATISFIED WERE ATTENDEES WITH THE EVENTS?
A feedback survey was sent to all attendees, of which 42% responded. They stated:
* over 98% of respondents were satisfied or very satisfied with the overall IA Week programme
* 5 events achieved 100% satisfaction rate, with 80% of events achieving over 87% satisfaction.
The most popular events in the programme, with 100% satisfaction, were:
HOW DID YOU HEAR ABOUT IA WEEK?
6 TRANSFERABLE LEARNING POINTS FROM CHELMSFORD CITY COUNCIL’S IA WEEK
The following key learning points bring together some of the anecdotal feedback received, illustrating what helped IA Week make a big impression on the Council:
1. Start awareness early: The week was first promoted to all staff at the Chief Executive’s Roadshow in May, five months before IA Week was due to begin. This initiated an element of questioning and anticipation around the event.
2. Work in partnership: The IA Team partnered with a range of different organisations both internally and externally, to deliver the week – without these partnerships the event would not have been such a success.
3. Sponsorship and incentivising was a massive help in getting people to attend.
4. Get outside your comfort zone: When attendees walked into the first event on Awareness Monday they did not expect to be greeted with the Game of Thrones music, a smoke machine and Senior ICT Managers wearing fancy dress outfits. This set the scene for the IA Week and got people talking. Any expectations of a dry, dull programme of events were well and truly surpassed.
5. Make it fun and engaging: the quizzes and games made the event fun, breaking up the more serious content and focusing on the message.
6. Mix it up: everyone likes to learn in different ways. The week had interactive seminars, comic books, E-learning, Late Opening, quizzes and challenges
“I have learnt so much from the sessions and they have all been well delivered, fun and, informative. Well done team.”
IA WEEK PARTICIPANT
“The programme for IA Week was really engaging, captivating and immediately generated interest in what otherwise could be a potentially dry subject matter.”
IA WEEK PARTICIPANT
“Whilst IA Week demanded a lot of commitment from staff the cost to Chelmsford City Council was minimal. The week exceeded all our expectations.”
WHAT NEXT FOR CHELMSFORD CITY COUNCIL’S IA PROGRAMME?
Due to demand, consideration is already being given to holding a similar Information Awareness Week in 2015.
By running the IA Week, Chelmsford City Council has developed an even stronger foundation for information security amongst their staff, whilst providing the opportunity to further progress this via ongoing campaigns. The platform for this has been the integration of policies supported by MetaCompliance Software, the council is in the process of integrating MyCompliance which will enable users to self-manage their compliance tasks and MetaLearning an effective tool to provide innovative learning to help organisations mitigate the risk associated with a compliance failure.
The team at MetaCompliance look forward to continuing their relations with Chelmsford City Council and creating a culture that protects and values information.