Yes, I know your answer. It's easy to say security is more important than convenience. For those of us who work in the cybersecurity world, that is a no-brainer. In contrast, many of your co-workers, customers, friends and family are not cybersecurity professionals. They want security, but they want convenience, too.
Let's look at a scenario where you are the IT manager. In consultation with C-level executives and others, your department implements a two-factor authentication program. Memos have been sent to all employees describing what it is and how to use it.
When the big day comes, you start dealing with whining employees who do not like the extra step. You expected some of this, but everyone seems to be a special snowflake about the new security step: "Why can't you make me exempt?" "This takes too long." And more complaints follow.
Then the executive assistant of the CEO calls and says, "She hates this. Remove it." Even though the CEO originally liked the idea, she does not like the inconvenience. The chief information officer is a wimp and doesn't have your back.
You are now the bad guy for wanting to add an extra layer of security to the company's network. Everyone supported it until it came on line. So, do you remove this security measure for the sake of convenience? It seems like you don't have a choice.
Fast-forward two weeks, and the company has been hacked and data stolen. Sure, you can point at the CEO and say she made you lower the security barrier, but that would not look good. You are in the hot seat. IT managers know if they come down on what is perceived as the side of error in the security vs. convenience balance, it could be a career-limiting move.
Cybersecurity is great when it doesn't interfere with what one is doing. It must be convenient. If it is not, one might try to find a workaround. It is this erroneous belief -- that a workaround can enable one to have both security and convenience -- which opens the gates for hackers and scammers to break into a network.
When offices first started using computer networks, things were much more straightforward. Passwords were usually just four characters. But things have evolved, and security has had to evolve, too. As security has grown, it's become more complicated -- and less convenient.
How can you get your employees to take cybersecurity seriously, even if it is inconvenient for them? Let me ask you: Which procedures at your company do all employees take seriously -- more seriously than anything else in their jobs? The answer is safety. Your company does not tolerate shortcuts or workarounds to safety protocols -- not at all. Someone who violates safety protocols can put the plant in danger. You probably have a "one-and-done" rule concerning safety violations in your company. These procedures are great to have. They ensure everyone at the plant takes safety very seriously.
You must make cybersecurity as critical as safety in your organization. Although many companies already do this, many more need to view cybersecurity in this fashion -- especially those operating industrial control systems.
This past spring, it suddenly seemed as if all the world was working from home. The pressure remote workers put on IT departments has been incredible. Yes, there are those doing workarounds and compromising the data of the company. These actions are probably in response to heavy-handed cybersecurity policies or a complete lack of telework policies. But other companies have worked with their IT department and teleworking employees to ensure there is a balance between security and convenience. This balance is a compromise. Everyone must give a little to achieve it. Employees need to be patient, and the IT department needs to know what employees want most.
Unfortunately, as technology progresses, there will be a need to revisit this balance and compromise. If you have a good strategy going in, it should not be a problem.
Prior to becoming the principal and owner of Loyal Dog Consulting LLC in Annapolis, Maryland, Dan Strachan was the director of Industrial Relations at AFPM, where he handled cybersecurity, labor, process control and base oil issues.
For more information, email Strachan at djs@loyaldogconsulting.net.