By ProServeIT on March 23, 2017

Email Security: 5 Steps to Develop an Effective Communication Plan

When deploying an email security gateway (ESG), it is recommended to adopt a 3-step approach: 1) Develop an email security deployment roadmap; 2) Create supporting policies for your new email security; and 3) Educate your end users. For the third step, it is important to develop an effective communication plan around your new ESG based on each end-user’s responsibility and use of email.

In this blog post, we introduce 5 effective steps you can take to develop a successful communication plan, which in turn will help you clearly communicate with your end-users about your new ESG.

The details of the first two steps of your ESG deployment – developing a deployment roadmap and creating supporting policies – are discussed in our previous blog: 3 Steps to Deploy Your Email Security Gateway. Please feel free to refer to it before or after reading the current post.

Step 1. Understand Your End-Users’ Concerns

In general, your end-users can be broadly divided into two groups, your executive team and other end-users, based on their different interests and concerns.

4 things that usually concern an executive team
  • CEO – worries about negatively impacting brand recognition or customer trust
  • CFO – worries about financial loss from breach or incident
  • COO – worries about operational downtime
  • CIO – worries about breaches, data loss, new technology implementations, etc.
2 things that generally concern other end-users
Clear communication
  • The average end user works in a habitual manner. If a change is made to their daily repeated tasks, it must be communicated very specifically to them and value must be clearly presented to have their buy-in.
  • Ease of use
  • As long as you are able to show how easy to use the new email security system is, end users are more likely to adopt it. Demonstrate the ease and power of the new controls that quarantine malicious email and the use of black and white lists and their controls.

Step 2. Tailor Your Communications

It is important to effectively communicate any new changes and the overall level of security so that non-technical users can clearly understand them. There are usually four types of reactions that can occur within an office community when important changes take place:

  • Enthusiast – Very engaged and welcoming the change. May even champion the change.
  • Skeptic – Willing to accept the change but without full support and expecting that the change will be worse off for the company’s users.
  • Fence-Sitter – May adopt some of the changes and may not others. Generally, needs convincing that the change is beneficial and is not change for change’s sake.
  • Saboteur – Absolutely opposed to the change and will often refuse to adopt any part of the change unless forced to. May even take an active role in spreading negative information about the change.

Each will have challenges in understanding the need for and the proper use of your new email security system. Try to determine which of the four each of your users fall into. Tailor your plans for each group and make sure that all users are in the right groups.

Step 3. Write an Effective Communication Plan

Here are three tips in writing a successful communication plan that can communicate the changes in the most effective manner:

  • Attention spans are short and both executive and regular end-users love summary statements. Your communication plan should include clear action items instead of long, overwhelming details.
  • Avoid using jargon as non-technical people often are put off by terms they don’t understand. Concentrate on the change’s benefits. If writing usage tutorials, keep the text short and use accurate screen captures.
  • Make sure that employees (executives and regular end-users) know their own responsibilities to thwart the consequences of malicious emails. Employees must be aware that digital threats are looked at and assessed as security to the organization. This means if blatant disregard or ignorance by an employee causes an infection, it will be seen that the employee is a liability.

Step 4. Overcome the Obstacles to End-User Acceptance

Employee education is the most effective way to secure your organization, but it can also be very arduous due to user stigmas and their apathy. The two biggest obstacles to acceptance are fatigue and the Geek Factor.

  • Fatigue can set because users are often bombarded with many daily tasks and may have the tendency to resist learning “another set of rules”.
  • The Geek Factor will often be seen by users who believe IT issues are geeky and uninteresting and they are for IT staff to solve.

The best way to get around these two factors is through acceptable use policy testing. This is a proactive approach. Testing if people are actually following acceptable use policies is testing your organization’s weakest link, the user, and finding the vulnerabilities most likely to be exploited.

Testing is effective because of the ability to identity and address specific weaknesses.

Step 5. Promote a Security Culture

By promoting a security culture, you can have email-based threats mitigated not only by technology, but by people as well. The best way to promote the culture is to develop each user into a security expert.

This allows your organization to go from just a handful of IT staff to a full organization that understands IT and its security. This type of visibility and diligence is unparalleled to any security software or hardware you can implement.

Your organization’s corporate culture has to include your IP and critical systems security. Here are some tips in promoting the security culture:

  • Inform users about threats and how the organization is maintaining its security.
  • Use any and all means necessary to inform your organization: company meetings, town hall style meetings, emails, posters, etc.
  • Create an informational site on email awareness. Include spear phishing attempts against your organization with details, actual emails sent out by IT, and common email structures that are legitimate from your organization’s and other organizations’ users would likely receive an email.

Let us help you create a Security Communication Plan that is right for you

There are many tasks that need to happen before an email security system can be successfully rolled out and used properly. Our team of experts have worked with many organizations to help them build an appropriate email/data security solution and help stakeholders and users buy-in to it. Contact us today! Fill out the form below or send us an email to We will be happy to discuss how you can improve your organization’s email defence.

Published by ProServeIT March 23, 2017