Change is hard. No matter how old you get, change will always be difficult to accept. It doesn't matter where that change occurs. Change can affect your private life and/or it can affect your professional life too. No matter how minor or major the change, people are impacted by the change.
However, change can be a good thing. Sometimes change is a necessary thing. Take the adoption of a cybersecurity standard in the workplace. That change is made to protect the business and employees from the cybersecurity threats that become more and more prominent.
I think we'd all agree that's a necessary change, right? It's proactive. There's a distinct benefit provided by making the change. Even with all that said, the biggest drawback to acknowledging the need for and implementing a cybersecurity posture is the acceptance of any change that might be needed to keep that posture healthy and strong.
It's a psychological issue. People just don't like change. It's no wonder people don't like to comply or drag their feet when a cybersecurity posture needs to be implemented. There are things you can do to help with that. Here are a few of them:
- Cybersecurity is EVERYBODY's Job - It's true. And the sooner everyone in the organization understands that, the better. One way to accomplish this is by incorporating cybersecurity into the corporation's ultimate vision. From the top-down, let it be known it's everyone's job to keep the company safe and security is non-negotiable. You can do this by not only implementing a robust cybersecurity awareness training program, but through daily cybersecurity emails, posters, and various other forms of media. Bringing cybersecurity to people's attention regularly and showing them how they play a part in keeping everyone safe is a good way of protecting the whole company.
- Keep Your Security Awareness Program Creative - It's important to remember that people get bored. It's not rocket science to know that eventually, people stop looking at the poster in the lunchroom of the cat clutching to a branch for dear life that reads "hang in there" isn't getting the attention it once did. The same goes for any type of content you start to solicit for your awareness training program. Cycle through your posters, emails, and training courses. Don't keep the same old stale material in circulation. Eventually, people are going to stop paying attention to you just like they have that poor, poor kitty.
- Don't Overwhelm People - Just as it's important to keep people entertained, it's important to not overwhelm them too. Take your awareness training program slow. The individuals working through the program aren't security experts, heck, many of them probably aren't even security-aware (in regards to the workplace). Find a way to distribute content in an even manner and in ways that are easily understood.
- Share Your Vision with the Team - The office is a team. Every team, group, or merry band of adventurers likes to know what direction they're going in, why they're going in that direction, and how they're going to accomplish goals and overcome obstacles they might find along the way. I'm not saying you need to run down the entire playbook with them or write your version of Lord of the Rings, but you do need to find ways to share information and the reasoning behind certain actions or endeavors.
- Take Care of Things Behind the Scenes Before Trouble Starts - Have you ever read the Allegory of the Cave? It's worth scanning over if you haven't. What I'm getting at is people don't miss something if they don't know it even exists. Web filtering, phishing detection services, whitelisting applications, and blacklisting everything else. These sorts of things are important because they make people safer without even knowing there's an issue at hand. Now, don't get me wrong, none of these things are foolproof and it's only a matter of time before something bad happens that you just can't avoid. That's when the security awareness training comes in. However, if you make your system as water-tight as a frog's butthole...the occasional gas that passes through on occasion is more easily mitigated. Employees are ultimately there to work, not browse the internet or install suspicious apps. If they can't do that from the word go you're probably safer than you would be otherwise.