Posts

If you’re thinking about cyber security, you should also think about behaviour change

It’s no longer an option to view cyber attacks as something that happens to someone else, some other organisation, or just a technical issue.  It’s now standard practice for all large organisations to have measures in place to protect themselves and their assets, and these measures often include an element of culture and behaviour change .

I’ve recently been involved in a project where I helped a client change the way their workforce viewed cyber security and embed a set of new highly-secure behaviours.

The project has been very successful and I’ve even found my own behaviour changing as a result – I’ve signed up for a password manager and my laptop is now a veritable fort knox!

So what do we mean by cyber security?

In its simplest terms, cyber security is the protection of an individual’s or organisation’s cyber assets.

To protect cyber assets you need to worry about physical security as well as cyber security.  This is where you need to think about the culture and behaviours of the organisation – there’s no point having great firewalls in place, if you leave the door to your server room open!

What is a cyber threat?

There are a number of different types of cyber threat, including state-sponsored attacks, insider threats, cybercrime, cyberterrorism, physical threats (staff members leaving doors or computers unlocked) and ‘hacktivism’ (hacking a system for social or political gain). Each company will have a different profile in terms of which of these threats are the most probable and how serious the consequences of a breach could be.

How does an organisation protect itself against cyber attack?

If people don’t understand, endorse and actively support cyber security consistently throughout an organisation, it’s just a matter of time before the best of systems will be compromised.

As change professionals, the area we add value is in helping our clients identify and embed the behaviours that will support the other measures (such as technological protection) they have in place. This isn’t just a ‘nice to have’ – if people don’t understand, endorse and actively support cyber security consistently throughout an organisation, it’s just a matter of time before the best of systems will be compromised.

Affecting large-scale behavioural change

Let’s be clear about one thing: change is hard! I get uncomfortable changing my brand of toothpaste. So effecting meaningful, lasting change can’t just be a top-down approach.  For behaviours to adapt, and for change to be truly adopted, all affected staff need to take ownership and understand the importance of the change.

Here are some key methods and approaches we use at Afiniti to help our clients ensure long-term and sustainable behavioural change is achieved across the whole organisation.

1.       Build sustainable toolkits and communications

This can’t be a one-off short-burst campaign, it needs to be rolled out over a period of time for the desired behaviours to become embedded as second nature.

To help maintain a high level of interest throughout the project, try a mix of communication styles from hard-hitting and informative to softer, more subliminal messaging.

And lastly, by using a blend of channels and methods, plus appropriate language and tone, you can ensure your key messages reach all intended audience groups.

2.       Co-create and utilise real people to generate awareness and validate the programme

Take the time to understand people’s opinions and insights into their areas of work, and then involve them in the project planning and execution. This way you’ll not only gain a more rounded understanding of the business needs, but people will feel invested in the project from the beginning.

Once people feel on board and understand the importance of the changes, work with them to create content such as short videos and workshops.  This type of user-generated content can really help with marketing to external audience groups, so why not reap the benefit for your internal communications efforts too?  It’s often cheaper, more authentic and more trusted by internal audiences.

Check out our vBlog of top tips for creating user-generated content

3.       Use creative and eye-catching visual assets

As they say ‘an image can convey a thousand words’ and this is certainly true when you’re trying to present a set of important key messages. Trying to condense a long white paper into a punchy animation or presentation can be a difficult thing to do, but it also forces you to concentrate on the things that really matter and helps to bring ideas and concepts to life.

4.       Create a security champions network

By giving tools and training to a group of security champions, you can create a community which supports the wider workforce on a day-to-day basis.  The champions can share experiences, best practice and be a point of call for questions, ideas and concerns. It also really helps to see respected colleagues modelling the desired behaviours.

Read our article on Making change stick by getting the whole team on board

It’s important to bear in mind that changing behaviours and mindsets doesn’t happen overnight, these things take time to embed. The tools and approaches above will help you maintain momentum and create the emotional engagement you need to embed the desired ways-of-working on a permanent basis.

If you have any interesting insights, or experiences of behaviour change related to cyber security, we’d be interested in hearing from you, so leave us a comment.

Agility – moving beyond the buzzword

Why adopt an agile mindset?

A lot of our clients appreciate the benefits of adopting an agile mindset, as well as agile working practices.  And this makes a great deal of sense, after all, we’re living in an age of major business disruption and innovation.  Modern business must deal with a plethora of challenges, from regulation, compliance and new technologies, to the economy and exploitation of big data.  Most of these challenges can also represent opportunities, if you’re in the right shape to take advantage of them.

This led me to think about how organisations message around agility (agility in terms of organisational culture and mindset, not Agile Project Management – although these two concepts are most definitely not mutually exclusive), and how they ensure everyone is on the same page with regard to what it actually means to be agile.  Agility can often be seen as an abstract concept that is not grounded in the operational reality of an organisation; I often hear conversations around agility along the lines of, ‘but what does it really mean for us?’ Or ‘agility means speed over quality’.

 What does agile really mean for an organisation and its people?

Agility does not mean unplanned or risky, quite the opposite in fact. The goal is to be nimble and flexible – ready to pounce on opportunities, or to change course to avoid inevitable problems. To be agile, an organisation and the people within it must have a clear goal in mind with waypoints to check if the plan is on target.

Here are five principles to help you convey what agility really means in the context of your organisation:

  • Stability – to be agile and adaptive the organisation and its processes must be stable. That is stability in the sense of the organisation’s propensity for flexibility, reliability and resilience.  This is where stability and predictability should be seen as enablers for agility – many large organisations have these attributes – use them to your advantage.
  • Flexibility – this is the ability to course-correct mid project/initiative or in more extreme cases to change direction entirely.  This requires people within the organisation to accept that, ‘what was right then may not be right now’.  This is where the real mindset and behaviour change comes in, so take time get the right message across.
  • Speed – a primary benefit of agility is the speed with which things happen, while maintaining the quality of output.  This could be getting a new drug to patients, taking advantage of an emerging technology or an untapped market opportunity.  This is an output of an agile organisation, not a personal trait to ‘do things fast’.  It comes from a stable base and flexibility of mindset.
  • Culture – think about the culture of your organisation.  How do the behaviours and accepted norms fit to the principles of agility?  Tune in to those cultural aspects that align with agility and think carefully about how to message around those that may be in conflict.  This is not insurmountable and can be achieved by following a process to find the answer which is right for your organisation.
  • Get creative – we know that the best messages are ‘sticky’ in that that they are easily communicated, get re-used and tell a story.   A great way of achieving this is to represent your agile story visually.  With clear and concise thinking, which is represented with a visual identity, you will get a better spread of awareness and desire to engage with these new agile principles.  Check out our blog post on The Impact of Storytelling on Change Programmes.

 

In summary, the only way an organisation can adopt an agile mindset is when all of its people truly understand the principles of agile, the advantages to the business and the benefits to them as individuals.

 

If you have any further ideas on what agile means to you or your business, or experiences of how you or your organisation adopted an agile mindset, then get in touch via the comments below.

Portfolio Items