Watching Your 1’s and 0’s

The recent announcement by Marriott that the Starwood reservation system appears to have been compromised for about 4 years serves as a useful reminder that, as unexciting as it may seem, you need to get your people to take cybersecurity and data protection seriously.

Whether it’s doing online security training, installing updates, or following the rules about about attaching personal phones and flash drives to company computers, cyber security is often a low priority for everyone but the IT team. So how do you get people to do what needs to be done to protect your systems?

Well, how do you get people to do anything?

You can try telling them, setting requirements and directing them to follow them. Chances are, though, you’re already doing that; how is that working out for you? To make this work, you probably need some sort of punishment associated with lack of compliance. This method isn’t going to get people to be compliant because they want to or even feel they need to, but instead, they’ll be compliant just to avoid having their network privileges revoked or whatever punitive action you take. Still, maybe that’s enough; what you want is for people to follow the rules, and you probably don’t much care if they enjoy it.

Another method is to persuade them by showing what happens to companies when systems get compromised. A 2017 cyberattack that seemed to get out of control ended up costing Maersk shipping around $300 million, while other companies saw losses approaching a billion dollars. Maersk had identified security vulnerabilities but the proposed upgrade was not included in the IT department’s KPIs and subsequently never happened, proving to be a very costly mistake. When people see the potential impact on them personally — for example, the chance their employer could go out of business and they could lose their job — they may be persuaded to take this more seriously.

You might consider trying to inspire them to comply. Maybe you won’t have cheerleaders running around to get everyone excited about cybersecurity (or maybe you will), but consider how small prizes or some kind of gamified process could get people more motivated to follow through on what you need them to do. When your employees see some kind of direct benefit to themselves, they attach more importance to the effort. You may feel like you shouldn’t have to offer incentives for people to do what you need them to do, but if you want people to see something as a priority, then you need to make it a priority too, and your actions will always speak louder than words.

Finally, consider how you could collaborate with your team to find a way to get everyone on board with your requirements. Instead of just telling people “this is what you have to do,” consider instead saying, “here’s the requirement, how do you think we can meet it the best?” When people have an input into a process they tend to feel a sense of ownership of that process, and finishing it satisfactorily becomes more important to them. When you get people to collaborate in terms of how they do their regular job, you can see the difference between getting someone’s best effort and getting the bare minimum. When it comes to your cyber security and data protection, it may be the difference between having them do it or having them not do it.

Different leadership and communication styles are useful in different situations. The ideas above can be applied to any aspect of work, not just the cyber and data protection stuff. But for the moment, with all the news about breaches and their impact, you may want to focus a bit on keeping your networks secure.

By the way, if you have stayed at a Starwood property in the last 4 years, you may want to check out their website for responding to the hack.