Business leaders need to ensure that every employee throughout the organization fully understands the need for and reasons behind the company’s cybersecurity efforts. Security awareness training and effective change management are essential in this capacity.
Cybersecurity is now, by necessity, a priority for every organization. The value of sensitive data has increased so dramatically that there is really no way that a business or other entity can safely assume that it will not be the target of a cyberattack. Additionally, the sheer amount of information that organizations now collect and the ways it is utilized creates an incredible number of opportunities for insiders to create data breaches themselves.
“Cybersecurity strategies are often at odds with policies that maximize convenience.”
Naturally enough, business leaders are aware of this state of affairs and eager to take steps to reduce risk for their organizations. This can be easier said than done. One of the biggest challenges, as Harvard Business Review contributor Carl Young recently highlighted, is the fact that cybersecurity strategies are often at odds with policies that maximize convenience. To successfully enact such tactics, business leaders need to ensure that every employee throughout the organization fully understands the need for and reasons behind the company’s cybersecurity efforts. Security awareness training and effective change management are essential in this capacity.
Danger abounds
Young, who previously served as a senior executive with the FBI and global head of security technology for Goldman Sachs, emphasized that whenever a company adds a layer of cybersecurity, it creates extra steps that will add inconvenience to employees’ days. This can be a problem at every level of the organization, as everyone from leading executives to lower-level personnel may not be willing to make this trade off – convenience trumps cybersecurity. This is particularly true when it comes to mission-driven organizations, the writer added.
Furthermore, Young emphasized that cybersecurity policies can sometimes put a damper on collaborative efforts throughout organizations. Businesses and other entities that encourage wide-ranging information sharing, for example, need to balance that attitude with the risk of data loss or exposure.
Expected resistance
The problem that IT leaders, and business leaders in general, face is that many employees do not fully comprehend the degree or severity of the cyberthreats their organizations face. These are abstract dangers, while policies that increase inconvenience or thwart collaboration on a day-to-day basis are a clear, unavoidable reality. Naturally enough, then, workers may initially resist the development and enforcement of new cybersecurity policies.
Employees may not initially see the need for cybersecurity policies.
Further increasing the problem is that upper-level managers are not always on board with much-needed cybersecurity efforts. Young referred to a prestigious law firm whose senior partners rejected the use of passwords altogether, seeing them as too inconvenient. If such an attitude takes root and spreads throughout and organization, it will be almost impossible to truly keep the organization and its assets safe. An attacker who gains access to one worker’s computer will likely be able to infect the entire network, causing massive damage as a result. The recently revealed theft of approximately $1 billion from banks around the world, achieved via simple phishing and malware attacks, is evidence enough of the potential consequences from lax cybersecurity measures.
That’s what makes security awareness training and change management so critical. Training can not only teach employees how to behave more safely and securely, but can also explain the rationale behind the company’s cybersecurity policies. Without this level of understanding, there will always be the risk that workers will disregard company policy and engage in less secure, more convenient behavior. Training will put these policies into context, greatly increasing workers’ adherence.
Similarly, change management is needed to ensure that upper-level leadership is on board with any and all cybersecurity policies implemented throughout the company. Without high-level support, workers at every level will feel free to disregard cybersecurity strategies as needed. To maximize security, businesses need to ensure that their commitment to best practices is total and unwavering.