The message tagline could be the organizational equivalent of, "If you see something, say something." The message should highlight to be on the lookout for violations of policies and procedures. It is also critical to remind employees that it is people, just like themselves, who have stopped major insider crimes.
You must however avoid manifesting a modern day Salem. The focus of your guidance should be telling employees to look for behaviors that are clear violations of policies and procedures. Examples include observing people looking through other people's desks, asking for passwords, being in areas that they do not belong, and attempting to access other people's computer accounts. There are also financial and other wrongdoings related to job roles and industry sector.
A more delicate, but just as important, aspect of awareness is for people to be comfortable reporting uncomfortable feelings. This is admittedly vague, but uncomfortable feelings have resulted in catching malicious insiders in a variety of incidents. In one case we are personally familiar with, an employee felt uncomfortable that one of her coworkers was speaking Chinese a lot on the telephone at work, and they did not work with any Chinese people. The woman reported the incident and an FBI investigation uncovered that the employee in question was funneling information to Chinese intelligence operatives.
Everyone violates policies and procedures at some point in time, without malicious intent. However, people need to know that some of the most harmful incidents were stopped because of observant employees. Again though, the focus is on reporting of incidents, and not of the individuals committing the violations. This is important for a wide variety of reasons.
The action that employees need to take is to simply report the questionable incidents to Human Resources, their management or the security team. However, you need to remember to allow for anonymous reporting and have strong measures in place to protect the identity of the employee reporting the incident. Reporting another employee can clearly result in negative consequences for all involved. The anonymity is critical even if it potentially means that it is impossible to gather criminal evidence. The goal is to detect incidents and stop the loss. Most organizations should already have an established incident reporting structure. Those that do not should consult with the legal and human resources departments to create one.
Clearly, when trying to motivate employees to inform the organization about the violations of other employees, you should get the Human Resources and Legal departments involved in at least approving the awareness materials that are distributed. They very likely will be able to provide guidance on how to best implement other aspects of the program as well.
Sign up for Computerworld eNewsletters.