Last month, on a cold and windy afternoon somewhere in the American Midwest, a woman who had been walking past a strip mall noticed several pieces of paper flying around an alleyway dumpster. Taking a closer look, the woman was shocked to find that the documents were actually people’s tax returns, complete with addresses and Social Security numbers. Some were strewn all over the ground; many were inside the dumpster.
That woman reported her find to a local TV station, which then sent over a reporter to investigate. It didn’t take much sleuthing for the reporter to find a possible source of the improperly discarded confidential documents: a tax preparation services company located inside the strip mall.
Security breaches such as this may seem absurd to some—the woman who found the tax returns said she thought people knew how to handle such documents with extra care—but the fact is, they happen more often than we’d like to think and, as with this case, are sometimes the result of poor decisions.
At a time when the physical and cyber world are so closely connected, a lapse by a single individual can compromise sensitive data and have far-reaching consequences for an organization. Making sure employees understand and adhere to security policies is, therefore, just as important as establishing those policies.
In the article “Toeing the line: Improving security behavior in the information age,” Deloitte analysts and executives specializing in security talk about three variables that organizations should be looking at in order to influence employees to be more security conscious.
One of the most obvious ways to make sure you have a secure organization is to hire the right people. That means examining the personality traits of candidates and choosing those who are most likely to follow policies. Background checks that look into past patterns of behavior will give you an idea of a candidate’s reliability and judgment, and whether or not hiring that candidate will put your company at risk.
Unfortunately, intrinsic personality traits are still subject to the demands of context. A model employee who has always been diligent in observing security policies may break that pattern if he is threatened or blackmailed into, say, giving up confidential corporate information. Sometimes, even just peer pressure or fatigue can have an impact on whether individuals follow policy.
This brings us to the second factor organizations should be looking at.
If external factors are influencing employees toward noncompliance, one solution is to apply additional external factors to rebalance those scales. Incentives that encourage appropriate behavior and penalties that punish risky behavior serve this purpose. But it is important to note that rewards and punishments are not enough. In fact, studies have shown that penalties—particularly excessive ones—may even be counterproductive.
An employee who may have inadvertently put his company’s security at risk by falling prey to a phishing scam, for example, may hide the breach instead of reporting it out of fear of being suspended or even losing his job. This could expose the company to even more security breaches, as other employees are not made aware of the scam.
For an incentive/penalty scheme to be successful, it has to be in sync with the prevailing organizational culture.
In the Deloitte article, organizational culture is defined as “a complex mix of physical artifacts with individual and shared beliefs, each influencing the other.” Breaking this down, the four major elements of culture are: (1) Tacit assumptions, or how you feel; (2) Espoused values, or how the organization is portrayed; (3) Enacted values, or what leaders do; and (4) Artifacts, or what people see.
Let’s say that in your organization, employees are required to wear IDs, and there are signs in office common areas reminding everyone to always wear these badges. The IDs and the signs, as objects, would be part of your ‘cultural artifacts,’ used to establish the ‘espoused value’ of safety and security. Say, further, that your company has a solid reputation for being a highly secure workplace and this is something employees are proud of (‘tacit assumption’). This sense of pride will most likely motivate employees to comply with security policies.
Using this framework, you can see how the different elements affect each other, and that changing just one element is not likely to lead to a cultural shift. In order to successfully change organizational culture, you must take advantage of the interactions between the elements.
Here’s a simple framework from the Deloitte publication that leaders can use to improve the security culture of their organization.
Linking culture to strategies to actions
As more and more people and data become increasingly connected and open due to technology, security will become more difficult to maintain, but also more critical. It is important to make sure that even as you enhance policies or reinforce infrastructure to strengthen security, you also focus on the people within the organization—are their security behaviors keeping your organization safe?
For those who are interested in reading the complete text of “Toeing the line: Improving security behavior in the information age,” the article is available here: http://dupress.com/articles/improving-security-behavior-in-information-age-behavioral-economics/
The author is the Enterprise Risk Services Leader of Navarro Amper & Co., the local member firm of Deloitte Southeast Asia Ltd.—a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.