Some people are driven more by money than flexibility or choice. (See also how salary changes can be used to enthuse staff about data security).
So while the following system can be set up for all staff, it may only be adopted by some. No matter - so long as there are more than one way to enthuse people and that at least one way works for each person, then the result is beneficial.
What about the data security savvy staff?
It is relatively easy to create a bonus system so that a small amount of money (as low as £25 perhaps) can be provided so that everyone achieving, say, >80% on monthly (say) Data Security tests gets the bonus. This can be set up so that they get the bonus each time they achieve the score, or (if they already have achieved 80%+) can be varied so that they need to get at least 2% more than they got the previous time (say). This might continue until 95% (say) when they get the bonus every time they go over 95% thereafter.
What about the staff that find data security hard?
One danger is that some people will get this every time because they find it easy, while others might have a great deal of difficulty getting their heads round some of the issues. Clearly, if you have a member of staff that simply does not take data security seriously or is unable to learn, then you have a bigger problem - and need to consider whether they are viable in their position.
Perhaps you could have an increasing bonus so that if someone fails to attain the target, then the next bonus is slightly higher - and that this continues until the get it. Eg the first month they fail to get 80% so don't win the £25 bonus. So the increased bonus if they get it in the second month might be £30. If they fail to get the second month, then it might be increased to £35 in the third month etc. Once they get the bonus, it resets so the next month is £25 again - but they have, by that point, already learnt enough to get 80% so will likely find it easier (and more lucrative) to continue to gain the monthly bonus even when lower.
Please note that they would make more money by winning each month so it is not a case of losing several months to win bigger later.
Please also note that if someone fails month after month, then you have a major hole in your data protection system. This may require a different approach to incentivise that person, or (as mentioned above), maybe that person is not suited to that role.
What is the end result?
Ultimately, you will be paying everyone the bonus every month. If you have achieved everyone getting at least 80% correct in their data security scores, then this is definitely a win:win scenario!
Make the tests representative...
By making the tests similar to the sort of thing they face in their daily life, they will be able to apply their learning directly. Eg. Don't ask them "what do the data security rules require when someone asks for personal information that they say the organisation is keeping about them?" It would be far better to ask "You receive a phone call from someone wanting a copy of their personal data held by the organisation. What do you do next?"
This approach forces them to think through the sorts of things that people might say and what they need to respond (and most importantly) that the staff member must first check and verify the identity of the individual before taking any such request any further.
This is one of a series of blogs on how to optimise your Data Security Controls by focusing on individual interests:
|1) Introduction: Introduction to string of blogs on how to encourage individuals to take data security seriously and apply it with enthusiasm
|2) Staff Benefits: How do you appeal to individuals to encourage them to adopt and develop the data security system requirements with enthusiasm.
|3) Business Benefits: The Business benefits of getting good data security controls - as a contrast to the benefits accruing to the individuals involved.
|4) Salary Impact: Some people may be influenced by money and be encouraged to learn more if this is reflected in the reward structure.
|5) Work Reduction: Some individuals react to the idea that they will have less work to do if they set things up well in the first place - it certainly is true for data security.
|6) Bonus Payments: Where money is a key driver, but a change in salary is not possible, maybe a bonus system can be used instead to enthuse people into learning more about data security.
|7) Tailored Training: Some people react well to being offered additional or specialised training - possibly with additional side benefits - whatever it may take to enthuse them to absorb data security awareness.
|8) Choice of Equipment: Some people may choose to improve their working environment and this can be a method to enthuse people about data security too.
|9) Holidays: Some people enjoy time off - and the ability to earn some spare hours may be sufficient to enthuse people about data security enough to earn them.
|10) Moral Compass: Some people are driven more by their moral compass than whether they are paid more money or have time off. These are key people in your organisation as they will help steer the straight and narrow path.
Your feedback and contributions would be welcome to help to hone these ideas for all to benefit from - please contact us via the https://www.securebusinessdata.co.uk/contact or call us on 0345 600 6975.