Culture Change
Manuals and training aside, developing an organizational culture of cyber security is the foundation for successfully countering this threat.
Employees are widely recognized as one of the weakest links in defending against cyber threats, today’s hottest risk category. A Ponemon Institute report estimates 25% of cyber breaches are caused by human error attributed to negligent employees or contractors.
I’ve experienced the anxiety of almost joining that 25% and acting on what initially looked like a harmless email before smelling a rat. It is a lonely, sweat-inducing moment—the panic of coming this close to possibly incinerating my company’s entire database.
Alone at our computer, we dither. Do we forward the suspicious email to IT and risk spreading a virus? Do we delete it and not tell anyone? Do we send a separate email to alert our colleagues? Whom should we alert—IT, HR, legal, the CEO, the whole world? Who owns responsibility for this risk anyway?
This ongoing weakness and confusion is mind-boggling considering all the technological defenses, training programs, cyber drills, crisis handbooks, and HR and legal policy manuals designed to reduce company exposure. What’s missing in many organizations is a culture of cyber security at the foundation of all those programs—a shared understanding and set of values around what, how and when to communicate about cyber risk in a dynamic environment.
How does an organization foster such a culture? It requires a different approach from internal communication—one that focuses not just on communicating to employees but on learning from them. Employees can teach management how to engage them in a continuous dialogue geared to actively helping management combat this common threat.
To achieve this, the organization needs to articulate the importance of cyber security, the immediacy of the issue and how employees’ daily activities play a role in keeping information safe. A culture-focused employee-communications program is based on the premise that employers and employees have a mutual interest in protecting their company’s defenses against outside attacks and sharing observations and recommendations about the issue. Such a program rewards candor and empowers employees to co-create solutions.
Companies gain minimal value from the old-school approach, such as the annual cyber-risk lectures delivered to employees, particularly compared to what management can learn from employees. Companies gain more by listening to what employees say about how they experience these risks, what they think they can or can’t do about them and what they think the company should do to harden its defenses—including enabling employees to fearlessly be the first line of protection.
Companies gain minimal value from the old-school approach, such as the annual cyber-risk lectures delivered to employees, particularly compared to what management can learn from employees.
Let’s look at the reason: employees say most cyber training programs can be dismissed as check-the-box chores. Once a year, employees are cajoled into completing online courses or table-top exercises designed to heighten awareness and vigilance. Often these programs are viewed as simplistic distractions unrelated to the employees’ real jobs. Crisis handbooks and policy manuals are necessary for crisis preparedness and setting behavioral expectations, but they may do little to change behaviors or highlight potential holes in an employee’s daily work stream.
The alternative is to solicit their views and suggestions to improve the system. When management trusts and empowers employees, the environment becomes safer.
Consider this actual scenario (the details have been altered to protect the client’s identity). The company had been hacked for ransom. The email demanding ransom got caught in the company’s spam filter. The hackers persisted, suspecting the company wasn’t intentionally ignoring the demand. Greater employee engagement up front might have surfaced the spam-filter weak link in detecting a ransomware attack.
We suggest an internal communication framework that has three distinct phases: discovery, deliberative engagement and an ongoing cyber resilience program. The first phase—unburdened by preconceived notions—starts by asking questions. For example: What is the employees’ role when working with secure data? What do they know about cyber risk? And what do they think can or can’t be done about it?
The second phase—focused on engagement—leverages what is learned in the discovery phase. Organizations can identify where each employee lands on the spectrum, between believers already engaged in looking for ways to reduce the human-element risk and the cynics who believe nothing can be done and resist engagement. Once this is accomplished, the organization can recruit those engaged believers to encourage more resistant employees to change their thinking—before the cynics can negatively influence others.
Phase two sets the foundation for phase three, in which a sustainable cyber-resilience program takes hold. This is the stage where an organization begins to see the return on fostering employees’ active participation.
Hill+Knowlton has deployed this three-phase approach successfully to help organizations make lasting culture changes essential for their survival. In one example, an H+K client organization formed an ideas committee that put employees at the center of the organization’s culture-change mission. The goal was to reduce an employee-behavior-related vulnerability (non-cyber in this case) that posed a threat to the organization.
When management unilaterally imposes standards and goals without inviting collaboration, employee morale inevitably suffers. The key to making this work is empowering employees to be ambassadors of the cause, starting with identifying those who already support the change. In the example above, the organization institutionalized this approach. It is now the widely accepted centerpiece of a highly collaborative culture—including a dedicated intranet site—in which fresh thinking is actively solicited, shared and discussed widely and openly and the best ideas are adopted.
In a cyber-resilient culture, the organization facilitates a continuous companywide dialogue on a dedicated intranet site where people feel safe enough and are motivated to share their cyber-security observations and concerns. Management can motivate this sense of safety by validating its commitment to two-way dialogue.
Traditionally, internal communications programs push out information and directives. What works is truly listening. It’s iterative, organic and responsive. It creates a sense of a community collaborating for a common cause as opposed to a command-and-control approach.
How does this work? One of the most powerful ways to demonstrate true listening to employees and learning from them is to interview them on camera—unrehearsed, uncoached and uninhibited—talking about the issues and their ideas. Broadcasting these videos on the organization’s intranet sends an empowering message that management values employees as essential partners with a common interest in strengthening the organization’s cyber defenses. When an organization shares these videos internally, it soon finds a growing population of other employees volunteering to tell their own experiences and offer their own ideas.
No business can hope to eliminate the human element that gives rise to cyber risk. But a culture of cyber security—in which all employees know their role, understand the impact they can have on the company and are actively engaged in vigilance—can make a difference. Creating such a culture, however, requires management buy-in and employee empowerment.
