In my work penetrating different layers of organisations, getting to the core of the issue, it’s relatively clear that, in many cases, employees don’t understand ‘why’ it’s important to be cyber secure, and see certain tech or processes as barriers to their ability to carry out tasks in relation to their job.
Worse still, they feel that the expectations of their employer are unreasonable, especially in situations where the employee feels undervalued, where the stakes are high and the reward disappointing. This is important to unpick and take appropriate action before any culture change can occur. Otherwise, it’s a bit like trying to outrun a sports car with an old bicycle and a flat tyre.
Is there really such a thing as a cyber secure culture and what does that actually mean? More importantly, how do we get one? A cyber secure culture is one wherein people ‘get’ cybersecurity and do it almost instinctively and support each other to do the same. It becomes a habit, a subjective norm, so the ones that aren’t doing all things that the organization expect their colleagues to do, like changing passwords to more secure ones, turning the screen off (even if it is the 10th time today!) become the aliens, the ones who stick out like a sore thumb.
Imagine you were in a public toilet and people are coming in and out of cubicles, washing their hands using soap and water, before leaving – but there’s one person who doesn’t. They throw open the cubicle door and head straight for the exit! Yuck! Most people are conditioned to adopt this behavior at an early age as it’s seen to be good practice for health and hygiene.
It’s a socially accepted norm that we should wash our hands so many find it extraordinary when someone doesn’t. Many would go as far as to sympathize with the poor person who has to share a table or bed with ‘toilet escapee’ together with other ‘unsavory’ inhabitants.
Recently we have all been subjected to the stark reality of the need to wash our hands and the potential implications in terms of catching infectious diseases if we don’t. What would happen if we didn’t adopt habits that kept us safe, secure and healthy? The result could be disastrous to the human race, not just the poor sod who shares a bed with ‘toilet escapee’.
It works in a similar way with cyber in that if we don’t adopt cyber secure habits that are conducive to a safe environment, and if we don’t become ‘cyber hygienic’, we are taking a risk which could potentially have life-threatening consequences: in a similar way as ‘toilet escapee’ might have inadvertently spread a nasty bug to a friend or family member. It’s a bit like the ‘herd immunity’ effect – if more people are cyber hygienic than not, then a positive cybersecurity culture emerges like a gracious unicorn from a smothering swamp.
So, it’s the employee’s fault and they just need to ‘get it’ and become cyber hygienic? Not quite. As intelligent human beings, we are complex, and so are our motivations and our desires. The decision to change a behavior, as we know from fad diets and exercise routines that often don’t last, is a big commitment, and one that has to be nurtured and supported, on an ongoing basis.
It starts with the beginning – before the training, before they have even logged into their new work email account for the first time.
It starts with a first impression and it ends with a memory, both of which are emotionally driven, and fundamental to any behavior change. Cybersecurity is no different, other than the consequences aren’t just a few extra pounds on the scales, but, at best, significant financial loss to the business and the employee if they lose their job, but, worst of all, possibly the loss of someone’s life.
So, wash your hands folks, change your passwords, turn your screens off, use that irritating encryption tool and feel proud that you’ve taken responsibility for staying safe; and I don’t just mean the people on the ground – All of you! Leaders need to push it up on the agenda, assign the appropriate budget, get close to the problem and get their hands dirty.
Employees are not the weakest link. They are your strength. If you let them.
Read more at Infosecurity Magazine