Cybersecurity is more than just technology, policy, processes and protocols. It’s also about people.
Without a people firewall, a technology one will be futile.
Building an effective human firewall requires effective organisational change management (OCM).
Why? Because you are asking people to do things differently and to do different things.
So what are we asking employees to do differently?
- Not to click on URLs embedded in emails, tweets, post etc. unless 100% sure of the authenticity of the source. Phishing attacks are the most common ways organisations and individuals get hacked. That click can install malicious software.
- Use stronger passwords and change them more often and DO NOT write them down.
- Avoid using public Wi-Fi unless using a VPN. Hackers can capture sensitive password information sent on a public Wi-Fi.
- Only store ‘authorised’ content on a work device. Unknown outside content can open security vulnerabilities in the network.
- Don’t connect unauthorised devices to the organisation’s network. The devices could be infected.
- If in doubt, shout it out! Employees should raise the alert if they believe there has or could be a security breach.
I am sure there a lot more things the security team want employees to do and some of the things listed above can be prevented via technology. However, others cannot.
The need for organisational change management
When we ask employees to change their behaviours we will most likely be met with some resistance. Increasing cybersecurity is not an option for organisations that want to survive. So getting people to change behaviours is paramount.
Very little has been written, to my knowledge, about the need for organisational change management (OCM) to address cybersecurity threats. A lot has been written about communicating the need to change yet successful cyber threats prevail.
Despite common belief, OCM is about more much than just communication. Communication is a key component but on its own it is not going to have the desired effect.
Change sponsorship and leadership
Change sponsorship is essential for effective change.
Without primary or executive sponsorship that can link the need for cybersecurity to the strategic needs and survival of the organisation, it has no substance.
The primary sponsor is the person ultimately accountable for a change and is required to assist in the removal of barriers and blockers when they occur.
Change sponsorship needs to cascade down through the organisation. The need for cybersecurity and the change in behaviours needs to be communicated, demonstrated and supported throughout the organisation.
These sponsors (or change leaders) need to demonstrate commitment to the changes needed, model the required behaviours, ‘walk-the-talk’ and lead by example.
Effective sponsorship does not come naturally to every leader in an organisation, so OCM needs to ensure that these leaders are equipped with the skills, capabilities and tools they will need to be effective sponsors. You can read more about sponsorship in an article I wrote some years ago.
Resistance to change may surface for many reasons and a key one could be that people don’t understand why they are being asked to do something differently.
- Why am I getting asked to reset my password more often?
- Why am I getting asked to create more complex passwords and then I cant remember them?
- Why can’t I connect my personal device to the network any more?
Resistance to change is not always a bad thing. It could just be telling you that you have not done enough to get people on board. Removal of resistance to change is a measure of success. It’s existence means more effort is needed.
There are many ways to surface resistance to change. Unless you understand it, you cannot manage it. I use the word ‘surface’ deliberately because you have to uncover it. What you are seeing on the surface can be very different from what is really going on.
Listening is a technique to surface resistance. This could be formally in team meetings or informally by the water cooler.
Asking questions and delving deeper can uncover causes of resistance. This could be on a team basis or one-on-one.
Observing behaviours can inform where resistance is coming from.
Carefully constructed surveys and questionnaires are formal techniques for surfacing resistance and informal techniques could include feedback channels such as suggestion boxes, and idea walls (where employees can put up sticky notes with their questions or ideas).
The techniques you utilise to remove the resistance to change will likely include one, if not all of the following three OCM activities.
Communication during times of change is of the upmost importance. But it is not an email to the entire organisation telling them that they are going to be asked to change their passwords on a monthly basis rather than a quarterly basis.
That is broadcasting.
Communication is two-way so any communication should provide a feedback channel for questions and clarification.
Communication should be tailored for the needs of each audience. The email about how to avoid cyber-security attacks that goes out to the finance department should be very different than the one that goes out to the IT department due to the nature of the audience.
Communication has to engage. This is easier in verbal communication but not impossible in written communication.
Make it personal. Do you think employees might take more interest of cyber security threats and to avoid them if they were informed that organisation data, including all staff related data, could potentially be at threat? Make it about privacy not security.
Make it clear that a successful cyber-attack could take the organisation out of business trough loss of data, money and reputation. This means no job!
Tell stories. There are plenty of stories of successful cyber attacks available that can be used to tell stories and what the impact of a similar attack could be on their organisation.
Make it visible, Use posters and banners to get the message across but make them interesting! NO PHISH THIS FRIDAY!
Educate. Educate. Educate. Do it before a breach, not after! That’s a bit late.
Do it on a regular basis.
Include in the education program the organisations accountability in regards to security and that of the employee.
Educate the entire organisation, not just front-line staff.
Whilst educating employees about security the organisation has in place through technology, also make it clear that any system is only as secure as the weakest link – which is usually a human being.
Train employees to recognise an attack and provide them with specific instruction about what to do. Ensure employees that there will no disapproval if it is a false alarm. Employees must feel comfortable to raise the alarm based on the slightest suspicion.
Use simulations (experiential learning) to bring cyber-security to life. No-one ever learns from ‘death-by-PowerPoint’.
Simulations can also be used post-training to determine how much of the training has been absorbed and whether employees would act in the way expected in various security scenarios.
Make sure you measure the effectiveness of any training program so that it can be continually improved.
When staff are involved in finding a solution to a problem, they feel they have ownership and accountability. So look for innovation and creativity. Ask staff for ideas on how to improve security, increase awareness, change behaviours and so on.
Finally, keep on reinforcing the need for cyber-security measures. Repeat the communication and training that worked. Keep on looking for new and innovative ways to get the message and the adoption of change across.
Celebrate successes such as detected threats and reward and recognise (publically) those that have shown to be active supporters of the cybersecurity program.
Organisations cannot afford for employees to put the future of the organisation at risk regardless of whether it was unintentional.
Employees have to live and breathe the threat of cybersecurity – at the end of the day it is their security that is at threat too.
Effective (and I mean effective) communication, repeatable and responsive training programs, employee participation and continual reinforcement of the message will help secure the organisation from a security breach.
Does this take time and effort? Of course it does, but can you afford not to do it?
Organizational Change Management and Cybersecurity
Cybersecurity is more than just technology, policy, processes and protocols. It’s also about people. Without a people firewall, a technology one will be futile. Building an effective human firewall requires effective organisational change management (OCM). Why? Because you are asking people to do things differently and to do different things. So what are we asking employees to do differently? Not to click on URLs embedded in emails, tweets, post etc. unless 100% sure of the authenticity of the source. Phishing attacks are the most common ways organisations and individuals get hacked. That click can install malicious software. Use stronger passwords and change them more often and DO NOT write them down. Avoid using public Wi-Fi unless using a VPN. Hackers can capture sensitive password information sent on a public Wi-Fi. Only store ‘authorised’ content on a work device. Unknown outside content can open security vulnerabilities in the network. Don’t connect unauthorised devices to the organisation’s network. The devices could be infected. If in doubt, shout it out! Employees should raise the alert if they believe there has or could be a security breach.