Cybersecurity and accessibility in crisis communications
What if something happened at work but you didn’t know––or worse, what if your company sent out crisis communications, but you couldn’t read it?
Your workplace security plan is only going to be effective if your entire workforce can access it in a way that is best for them—in their preferred language, for example. Unless your plan is intentionally designed to be accessible to everyone, companies risk leaving portions of their workforce out of these vital communications.
Having accessible cybersecurity communications is key, but having a diverse set of stakeholders at the decision-making table when developing them is just as essential. An emergency email notifying employees of a data breach, cybersecurity event, or other crisis communication could come through at any moment. You need to be informed to be able to best protect yourself––and your workplace.
In Episode 3 of Empowered, we speak with Jodi Beaubien, Senior Crisis Communication Executive, Data Breach at Symantec, about cybersecurity, accessibility in crisis communications, and workplace security.
What does it take to radically transform and disrupt our workplaces? Below is an edited transcript of Episode 3 of Envoy’s new podcast, Empowered: Envisioning Workplaces That Work, which explores what thriving, diverse, and innovative workplaces look and feel like, and what makes them tick. Spoiler alert: it’s the people.
We engage in timely discussions about the workplace experience and celebrate those who challenge the status quo in all aspects of the contemporary workplace––through the lens of the all-important human elements. Hear workplace experience leaders, creative problem solvers, and other cultural producers reveal how they create the workplaces they want to see in the world: their wins, pain points, and all the moments in between.
What goes into effective crisis communication around cybersecurity?
First of all, Jodi––thank you so much for being available for this. I’m excited to have the chance to collaborate with you again. When we met, your focus was on improving and optimizing internal communication within the workplace, specifically for non-desk or distributed workforces. Now, you are at Symantec where you’re a senior crisis communication executive for cybersecurity solutions. Tell me about that role and what you’re doing there.
JB: I am new to this role but it does follow my path of internal communication for organizations. My work is more focused now on the consumer. As you know there’s been a lot of data breaches that have happened over the past five years or so. There’s been this onset of cyber activity that threatens not only consumers but employees as well.
My job is to help organizations, insurance carriers, and lawyers, for example, communicate effectively internally: to message and distribute information to individuals that have been affected by a data breach.
It’s a kind of triage, coaching and teaching individuals best practices when it comes to cybersecurity events. It sounds fancy, but it’s like an ambulance service within communications.
It’s such a specific area of an organization’s larger cybersecurity communications strategy. What are some of the key areas within crisis communications and what do you focus on when you’re making your case for specific cybersecurity measures within the workplace?
JB: One of the key factors is to know that every single cybersecurity event is unique and there’s not a playbook per se. The messaging around how you’re communicating that cybersecurity event to the affected population is important.
Let’s say a company has a data breach and all of their customers are impacted. The first thing you think is, “What does this mean for me?” A lot of times, companies just send out notices to those individuals because the law requires them to, but you don’t really know what to do.
For example, you might have received several email notices from the same company. Your question might be, “Do I need to enroll in the service that this company is providing me with? Does my previous enrollment cover me or do I just throw this letter away because I received so many of them?” One of the real key indicators, at least with Symantec, is that we have a strong brand identity. When you get something from us, people take notice and that’s important for our customers.
The other side of this is that my role and my passion is to make sure that people are treated fairly across the board. A lot of organizations follow what’s required by specific state regulation, but the customers that we’re dealing with are paying a premium because they also want to protect the consumers. They’re not just worried about meeting the bare minimum. They want to protect the consumer, and I think the more entangled we get into this cyber world, the craftier these cybersecurity ‘pirates’ are becoming with our data.
Everything we do is online. As a consumer and also someone that believes in this service and this product, my job is to make sure that we’re communicating effectively so that people receive the cybersecurity coverage that they need, but also that they’re taking action. They’re not ignoring these notices that they receive in the mail or via email.
Tips on how to put the customer first in your workplace security strategy
I like the consumer perspective that you brought up. I get those notification emails all the time notifying me that my information has been compromised. I’m curious about that gap between the business experience and the consumer experience. I feel like that’s one of the biggest challenges in tech, for any business, to bridge that gap and make it as good as the consumer expects it to be.
Are there some trends that you’re observing when it comes to workplace cybersecurity plans? What’s coming up in your conversations with customers or that you want to make sure you champion with them?
JB: 100% I love that question, and I think one of the things that most companies have been doing and will continue to do are these training modules, but that’s a bore and not even effective. You can click through, fast forward, and you don’t have to pay attention to it, and you know, at the end of the day the employee has a job to do.
When you’re talking about the workplace, when you take employees out of their function and put them into this module training, their interest level is going to be very low.
However, one of the things an employer can do proactively is to require regular password changes––not just for the overall cloud based system but individual applications as well as limiting the plugins and downloads that employees have access to. There’s a ton of software out there right now that restricts what an employee can put on their computer, especially if it’s a work-managed device.
Using free airport Wi-Fi? Your data security is at risk
JB: I travel pretty much every week and I see the same people at the airport traveling for business as well. I often wonder if they are using the free Wi-Fi in the airport. When they’re on the plane, are they using the open network on the airplane? If they are, they’re exposing anything and everything on their device.
I wasn’t aware of this until I got into the cybersecurity industry. Simple things like requiring a VPN network or supplying it so an employee has the choice to make that smart decision when utilizing public internet.
Is this coming up as a top pain point in your conversations with customers? Protecting access, whether it’s Wi-Fi credentialing or something else within the workplace experience?
JB: I wouldn’t say it’s a top pain point, because I still think that there’s some naiveté around the risk that’s involved. I know IT managers and workplace security professionals are completely aware of this risk. I go to a lot of data privacy conferences and you know, GDPR is what everyone’s been focused on for the last three years or so.
Even within that GDPR regulation, we all know that internet access is how the bad actors are getting into our information, and people who were previously in this data breach role, were concerned about employees shredding documents. That’s not as much of a concern anymore; exposing your information via the cloud, Wi-Fi access, and device protection are.
Cybersecurity and data breach protection: definitely not a ‘nice-to-have’
Symantec released their 2019 cloud security threat report and the hypothesis for this study is that adoption of cloud-based services is on the rise. As cloud-based services rise, cybersecurity threats are also growing as a result, and organizations aren’t effectively keeping up with or managing these cybersecurity risks. Was there anything that surprised you or stood out to you in the survey responses?
JB: I think organizations are beginning to limit what employees can download, but still we’re seeing an uptick in data breaches. While we know that the company has control over what an employee can put on their computer, it’s also surprising that there’s not a lot of security considerations around physical handling of devices.
For example, leaving your computer open? That’s a cybersecurity breach. So is not properly shredding documents or unsecure physical file storage. Those are all scenarios that can compromise consumer and employee data.
I’m still surprised at the number of data breaches that are growing despite the intelligence that we have around how to protect information. I also think a lot of organizations are perceiving this as device protection and management, dark web monitoring. Those are considered nice-to-haves, but in my world it’s a must-have.
We have a way of protecting ourselves and organizations have a priority to do that. I don’t see that they’re actively taking that option as seriously as they should.
I imagine you get questions about how to manage security for multiple cloud-based services. Is that something that comes up in your conversations with customers?
JB: My focus has primarily been on messaging around when there’s been a cybersecurity event. When there’s been an incident, we think about how we are going to communicate that across the organization and to the insurance carrier. In today’s day and age, a lot of organizations have cyber insurance. Years ago that wasn’t something that was popular, but with the rise of cyber events, cyber insurance covers employees, organizations, and so forth.
These companies procure our services to protect against when there has been a cybersecurity event or even before there’s been an event .
Why you should incentivize workplace security
What kinds of conversations do you think workplaces need to be having and engaging in now about cybersecurity? Are there any missed opportunities that you want to talk about?
JB: Absolutely. I think one of the biggest conversations that we have is awareness. An employee may think––depending on what their capacity is and how intricate a level they are at within the organization––if they have a company device or if they have access to records or the room where the records are kept, I don’t think that employees are aware of the sophisticated cybersecurity attacks that are out there. So one of the things is, you know, knowing what your impact is.
When we’re doing these modules and sitting at our computer and kind of required to do it, you don’t really feel that you have equity in that particular event because it’s forced upon you. Maybe rewarding employees for not having a data breach or for not exposing their information should be considered. For preemptively changing their password.
At Symantec, there’s all sorts of reminders that we get internally to change our password and we’re safer than a police precinct. But, I think that our concern around how we’re handling information, we take it very seriously, and I think that you can spread that by incentivizing employees to act with more caution.
Like a gamification of cyber security.
JB: Who doesn’t love a game or reward, some sort of acknowledgement for their impact?
Are your cybersecurity communications accessible to everyone?
I want to return to a comment you made earlier about equity and making sure that crisis communications are being distributed in a way that speaks to the entire workforce. You’ve mentioned recognizing early on that not everyone hears, listens, and processes information the same. Can you speak to why keeping this concept in mind in crisis communications is so important to you?
JB: The diversity in workplace culture that we see is expanding, which is a beautiful thing and I’m so grateful for it. It’s important to me to see diversity in a workplace because of the ideas. The way that people process information differently can lead to more collaboration.
What we know already through HR and cultural research is that people hear things differently. When they listen differently and they act or process information differently, this leads to a different outcome.
It’s important to include various individuals within conversations, whether it be in the development of training materials, coming up with ideas, or designing processes that are company-wide. Including a variety of individuals in that process allows you to represent your workforce and your customer base––that’s a novel idea, but you also extend the reach of that information.
The minute that you have a diverse group creating this content or these policies, you start to have more information about who you’re communicating to and the outcome can be more effective. We are so well equipped with information about different audiences through research, through these inclusion groups, but it’s another thing to take it a step forward and to include them in the conversation from A to Z.
It’s about access and accessibility. How do you recommend making crisis communications more accessible? Let’s start within a cybersecurity incident: how are people getting the notification?
JB: Not everyone reads in English. They may speak English well because it’s a requirement for their job, but the minute they have to read it, they may turn off. It’s important to understand who your audience is.
I can’t give you a specific example of a data breach, but I can tell you that during 9/11, for example, I worked for the city of New York. There’s a lot of diversity in a city of 8 million people. You can imagine the number of languages that are spoken, but the primary crisis communication was sent out in English. There were resources available to individuals that had been in a three-mile radius of the World Trade Center or that were impacted by it, but the resources went unclaimed. A lot of those individuals had no idea they had benefits available to them because they didn’t read English well.
JB: Despite census information about various zip codes, we failed to use that information to better inform getting this crucial information out to those who needed it. There’s been many incidents where they could have performed better and made sure that they included various languages. I have to question whether or not they intentionally didn’t communicate in multiple languages because of the cost associated with it. It’s always best to make sure that you’re communicating across various demographics that you’re aware of from the outset.
Diversity in the room: why you need to prioritize difference when creating a workplace security strategy
That’s a really powerful example. It’s one thing to have the information, but if people aren’t getting the information, they’re not able to perform.
JB: When you talk about diversity, if you have someone present in the room that represents who you’re communicating to, that would’ve been the first thing out of that person’s mouth is: “We need to include this in Mandarin or Spanish,” etc.
When you don’t have diversity in the room, it’s hard to think like the diverse audience would. This is yet another case in point of why I don’t think it should be a choice for companies. I think it should be a required, mandated business function.
When we met, I was so impressed. As you were just about to embark on getting your SHRM (Society for Human Resource Management) certification.
JB: At the root of everything that I’ve done professionally, I’ve always thought about individuals that were under-represented. I grew up in San Diego and New York. In San Diego there were a lot of immigrants that would come over the border from Mexico, work for the day, and then go back. I saw the same thing in New York. There was no border to go cross over, but there were different boroughs that people lived in. They’d come to Manhattan for the day and go back.
I didn’t see a lot of diversity outside of service roles, and that’s something that always bothered me. So when you and I worked together at Beekeeper, I was excited about helping people communicate that didn’t have a corporate email address or that are sitting in an office to have that face-to-face representation. Now, I’m advocating on behalf of consumers, and I think the same thing is true.
When we send out notices that there’s been a data breach or that your credit is affected, there’s a lot of different facets to this. One, your ID can be stolen, and this can impact your credit. Someone can use your healthcare information so that when you go in to the doctor, they tell you, “No, actually you don’t have insurance benefits because you’ve already used it.” We’ve seen people get arrested when they land at an airport because someone stole their identity. It triggered when they use their ID to cross into the country and so forth.
There are many instances where if a cybersecurity event is not communicated effectively, it can ruin someone’s life. The reason why diversity is important in this role when it comes to crisis communications is because it doesn’t have to be a data breach. It can be a power outage, for example. Employees that don’t have a voice are left silent or if they don’t read the language or if they’re not a part of the board or the committee, they are these shadows just operating in the background.
I’ve always been passionate about pulling people in and including them in the conversation, or at least trying to think in terms of how we can advocate for those that can’t advocate for themselves. This is a completely different role for me with cybersecurity, but the same root effort and focus remains: making sure that we’re thinking on behalf of everyone, not just those that look like you or like me.
Are you implementing trainings that include some of these best practices around diversity and inclusion?
JB: Not yet, but I’m really excited to. We have so many different groups represented internally in our organization, whether it be women, minorities, veterans in tech. When I tour and go to all these different conferences I see the same kinds of people. I’ve joined each and every group that I can, because there’s a lot that I still don’t know in terms of what’s missing, what the voids are, and who’s not being represented.
We have recently merged equity and inclusion into this diversity equation, which should have been a part of the conversation from day one. It’s not enough, obviously, to only have a diverse workforce. You need to include those that are in that workforce through inclusion, and then you allow them to have a seat at the table through equity. There hasn’t been a training that’s been designed, per se, but it’s definitely my guiding principle and my guiding light within how I operate.
One-stop shop: simplified user experience is the future of complex cybersecurity
I’m glad you named that it’s this holistic comprehensive process. It doesn’t stop at getting people in the door. It needs to literally include them in all these other ways. Are there integrations––that could be a literal technological integration or maybe a partnership that you’re excited to pursue or that you’d like to see happen in the cybersecurity space?
JB: Well, I think one of the trends that we’re seeing now is partnerships with fully-integrated services. So not necessarily with regard to diversity, but who wants to shop at multiple stores when you can just go to a grocery store and get everything. So we want to be a one-stop shop. Make it easy, whether you’re educated or not, to protect yourself. I think that a lot of times people don’t know their options, so you just make it simple for them despite their education level. If you have to do too much work you just kind of burn out. You don’t even put a lot of effort into your rights or in protecting yourself. We just want to make it simple.
As one of the leaders in cyber security, I can’t tell you how often that when I go to events, people will ask us what are we doing there. Individuals may or may not be aware of what their options are or what we do, and I think it’s really important that you just make it easy. Protecting and educating yourself should be something that’s accessible. We just want to make sure that we’re marketing and branded properly and as a clear choice.
What are some workplace security resources that we can expect to see from you and from Symantec?
JB: One is the internet security threat report that comes out quarterly, I believe. We also produce a magazine which is glossy and thick pages and fun to read. I think that’s something that’s important as well. When we start to use jargon, it isolates individuals.
We do a lot of internal training. We have so many different specialists and individuals that used to be hackers, for example, that are employed by our organization. The idea is to think about it from the other side. What type of vulnerabilities do we have? How can a consumer be smart about it? So those are some available resources.
As a customer, we send out a newsletter that talks about the trends that we’re seeing in workplace security. Those are things that I’m excited about. I think a lot of organizations offer resources, but there’s usually a tie-in, something for sale. One of the ways that I think we stay up as a leader is that we’re not selling the product. We’re educating consumers and making our services available to them, but it’s not a hard push for a sale, per se.
Since we celebrate people that are changing the status quo in the workplace like yourself, is there anyone or multiple people that you are inspired by, that you feel are challenging the workplace status quo of the workplace? If so, what are they doing and what do you want to see more of?
JB: I have several individuals that I admire. Bozoma Saint John for one. I think that there’s a lot of movement in various publicly-traded companies, and it’s very easy to stay seated and settled because of your salary. She took a stance and left her job because she wanted to have some solidarity with women on our rights as well as our inclusion in these conversations.
One of the things I want to see more of is diversity in different professional groups. You’ll see certain people in certain capacities, like engineers for example. I get excited when I see someone that I don’t typically see in that kind of role because it just means that we’re growing as a culture.
I definitely think that you can’t say enough how important diversity is. We’re still talking about this even though I would say within the last five years, we’re starting to see roles created at organizations centered on diversity inclusion and employee experience. There’s a lot of different ways to qualify what that is, but I totally agree with you. I’m excited to see organizations, especially in tech, prioritizing this and devoting resources to it in every sense.
Thank you so much, Jodi. It’s been a pleasure. Where can people find out more about you and what you’re doing?
JB: I’m on LinkedIn, and I’m starting a blog myself in the near future. It’s going to focus on sales, product marketing, and bringing people together so that they can continue educating themselves outside of their traditional role. If you understand the product, then you can sell it, and if you understand the sales team, you can create a product that they can represent. I just want to bring all that together and make sure that I’m using my skills properly.
I can’t wait to read it. When’s the launch date for that?
The goal is August, but I’m trying to enjoy the summer a little bit. So we’ll see if I’m being too ambitious.
We all have a story to tell about our working lives: how we got there, what we experience, and what we can do to make it better. Find more information on this episode of Empowered in the episode show notes. For more details on how to get involved, listen to full episodes and discover more about how to challenge the status quo in your workplace, check out the Empowered series page. You can also read episode recaps right here on the Envoy blog.