What does your doctor, your favorite restaurant, the college your child attends, the grocery where you shop, and your favorite big-box store all have in common with you? All are prime targets for cyberattacks.
It’s a concern that is constantly in the news, and may have already touched you personally. I know I’ve been directly affected. As careful as I am with my own personal information, my credit card was compromised. The after effects are costly and repercussions are on-going. Conversations with family and friends reverted to the same point of view: it’s all about technology. Was my computer up to date with the latest and greatest browser/spyware/antivirus/anti-malware/anti-zombie hacker-personal biometric device? Whaaat? Ok, so maybe not zombies…but personal biometric devices are for real!
The point is, we personally rely on the technology we buy and with whom we do business. Professionally, we rely on them—the IT folks (you know, that team with their own special tech-lingo) that do that technology thing to protect us. It’s an IT thing.
Now, understand that IT Organizations do a great job. There are methodologies and protocols to deliver sound, safe infrastructures that are well documented and change-ready as needs require. Most even have a change management (really, change control) governance model in place to provide frameworks for continuous improvement. But is that enough?
A New York Times article reports how, when unable to hack through the network at a large oil company, persistent attackers infected the online menu of a Chinese restaurant. Their menu was frequently accessed by the company’s employees, who in turn downloaded malicious code while innocently ordering their Kung Pao Chicken. Could employees have been trained to watch for redirected webpages? Maybe. Maybe IT should implement a stronger third-party access firewall. Would employees understand how critical it is to create strong passwords, change them timely and not ever share them? Tell me honestly, can you guess (or at least get close to) a co-worker’s password? Can they guess yours? The article goes on to say that “a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter — 23 percent — of breaches were attributable to third-party negligence.”
So how, if our IT Departments are on the task of protecting us, are we still experiencing mass cyber security breaches? What’s missing here is the individual engagement, igniting the workforce with personal commitment: a robust change management program. That sounds so heavy, but it is not meant to be. It has to be ‘just the right amount of thorough’. What it comes down to is a change in behavior. Not just a task-oriented “it’s been 30 days, you must change your password” message (although those reminders are helpful), but a deep down shift in automatic responses to everyday business scenarios.
Consider this example: You run a state-of-the-art accounting firm, with secure servers that require strong password authentication for access. Client records and tax returns are safely stored, in compliance with all governing regulations. The Office Manager (let’s call her Jane) complies with password safety: never sharing it and changing often. A client (Susan) arrives, requesting a copy of her latest tax return for a meeting with her banker later today, and fishes a USB flash drive from her pocket. Jane’s response (customer service, problem-solving, desire to help, or maybe path of least resistance) is to quickly transfer the PDF record from her computer to Susan’s flash drive. No problem, right? Absolutely wrong. The client may have innocently and unintentionally carried a virus on that flash drive that has now infected a computer that’s connected to your servers.
In the example above, the well-meaning Office Manager acted in alignment with the organization’s desired behaviors for superior customer service. She exhibited an expedient, problem-solving approach to the client’s request, and the result: happy client! However, this conscientious employee, having done what she thought was the right thing, inadvertently made a serious error in judgment. Why?
My guess would be that customer service behaviors were clearly communicated, modeled and reinforced. Jane was thoroughly trained in how to provide exceptional customer service and was held accountable for her actions and rewarded accordingly. Cyber security was not treated with the same level of sustainable engagement.
While she may have been aware of the need for computer safety, and had certainly shown a desire to be compliant, she was unable to translate that awareness into action when faced with a real-life scenario; her ultimate behavior was unchanged. What was the barrier (resistance) to a change in her behavior? Resistance is not necessarily a conscious insubordination. Good employees—in fact, all of us, at some point—resist change for various reasons. What was the root cause of Jane’s resistance? Perhaps motivation: was she completely overworked, and this the quickest way of accomplishing the task? Perhaps knowledge: has there been adequate training to understand the situation and how to resolve it. Perhaps reinforcement: she knew better, but faced with making an on-the-spot decision, was unable to translate knowledge into action. The change in behavior regarding computer safety wasn’t sustainable.
Moving skills from knowledge (awareness) to purposeful habits (sustainable performance) is not an accidental process. Applying good change management principles to teach, support and reinforce the desired behavior is paramount to individual, sustainable change. How big or how small that effort is will depend on the size of your organization and the scope involved, but the basics still need to be addressed.
Of course, this is a fictitious scenario using a very basic example, but the message is clear. Cyber security is on the shoulders of the entire organization, not just the IT department. As long as we see it as ‘their problem’, we will continue to be at great risk for security breaches.
About the Author:
Lynda Cialone is VP of Consulting Services at Ally Solutions Group; a consulting firm committed helping clients change the way they work, lead and perform. With a 20+ year career in change management and strategic business planning, she infuses a blend of internal branding, marketing and communication expertise into her views on leadership and personal development.