The Human Element – again!
It took Industrialists several generations to work out that people are essential. Treating them badly will not provide the improvement and innovation that an organisation needs to develop and grow.
Putting aside the interest that Articificial Intelligence (AI) has stirred up - robots will take over most jobs very soon and solve all of our problems!!
We are still having to deal with numerous catastrophies, such as; political instability, warfare, climate change, sustainability and cyber insecurity. All necessitate leadership and management. Organisations have learnt some of the lessons for sustainability and cyber from previous changes that they have made. Geopolitics is beyond this brief.
Over the last few decades, organisations have shown incredible adaptability and agility in terms of managing change. The most obvious one has been computers; the power of 1980’s main frames with massive footprints, only had the computing power of your phone. We have all watched the evolution of Information Technology and embraced Digitalisation in all aspects of our lives. Please note that as the power of computers increased, we found new words to describe it.
This is a common feature in change programmes. Communications and dialogue are absolute necessities to explain the changes. Often time, the ‘Experts’ use technical speak to enhance their position and power. We have learnt to be conscious of this game playing.
More succesful programmes such as Quality, Health and Safety and currently, Sustainability have all demonstarted the need to engage and educate humans. Customer Service started well but has defaulted to pushing numbers on a phone. All of these changes are underpinned by measurement.
The success of Health & Safety programmes is heralded by measures such as, ‘Accident Free Days’ - something known on building and factory sites everywhere. We have underpinned the engagement, education and skills practice with legislation. For the last few years, we have been bombarded by cyber security data. It paints a series of depressing figures that culminate in an estimate of $10.6 Trillion for cyber crime in 2025, up by 600% since Covid. Damage inflicted by attacks is getting worse, phishing attacks alone are up fourfold. All types of cybercrime are getting more destructive and dangerous as we move toward a more digitized world.
The bad guys are improving their skills and organisational ability. Cyber crime is much easier than robbing banks and they are less likely to be caught. It requires stealth, ingenuity and confidentiality. In many ways, it is a ‘ghost in the machine’. Invisible - we don’t know it has happened until the criminals tell us, or post our data for sale on the dark web. The larger gangs feed the smaller players with opportunities to exploit individual citizens and businesses.
SMEs as usual, are the easiest to attack. Fewer resources and inadequate software, they are inclined to put cyber on the long finger. You find cyber security low on their list of priorities, despite the devestating consequences of an attack on their systems, data and their Customers. Telling them about new risk frameworks and EU regulations is met with a shrug of the shoulders accompanied by the indefatigible comment about ‘doing it when we have to’. These regulatory changes are not helped by the explanations given by ’Cyber Experts’. Suffice to say, that the cyber sector is still relatively immature and many of their Specialists lack the communications skills needed to demystify the risks, technolgy and pending regulations. Scare tactics are often used to cause a reaction, probably not the best approach when you’re trying to bring people with you.
Sometimes, however SME managers will remind you that they have been coping with change and improvements forever, that their success is built around their people. My favourite quote is that ‘the best cyber defence is the human wall that we build around our systems’.
Awareness and behavioural change is the foundation for the construction of the wall. The issue is where to start.
CEOs, General Managers and their Teams are the priority, without them resistance will build and the natural objectors will rally - anticipate rejection and plan communications for it. Its always prudent to have the IT people engaged upfront. These can be employees, or Managed Service Providers. It is worth remembering that IT people are not necessarily Cyber People, unless thay have gone back and retrained.
Tools like Cyber Risk Analysis (CRA) are great, as long as they are explained well and translated into established processes like Continuos Improvement. Reducing risk is a similar, data driven process with a list of vulnerbilities identified. They needed to be treated in the same corrective action process.
Cyber Security needs a plan that looks at; awareness, cyber skills development, the current and future software offering. It’s very similar to what we have done with Health & Safety - everybody aware and following the best practices with a few Risk Officers and IT people who are reviewing the next generation of cyber software that prevents, defends and reacts. All of this needs to be considered within the backdrop of cyber frameworks like NIS 2 and EU Regulations, that will arrive next year. We are currently in a voluntary phase for cyber, next year it becomes mandatory.
Everybody needs to pay more attention to cyber. Build the defences for both the invisible criminals and hopefully, the friendly police.