Blog

Thoughts: Don't Forget About Change Management

Thoughts: Don't Forget About Change Management

Cyber security awareness isn't just about making people aware of scams - it's also about changing their behaviour, because without this outcome, awareness is worthless! And of course if we want people to change, we need to incorporate change management to ensure the greatest chance of success. There are two distinct groups at play here that require different strategies:

Management / Executive

It critical to ensure that this group understands the importance of success, because they're responsible for the risk, and any subsequent failures. Management should attend awareness training, and engage to show others that they care. They absolutely MUST lead from the front here, and be nurturing and supportive towards all staff, for all queries and concerns.

Employees must feel completely comfortable to ask questions, no matter how seemingly "stupid" they are, and also comfortable to report being tricked. Consider the flip side - an employee is tricked, you have a cyber criminal on your network, spreading to other devices, and you're staring down the barrel of a major data breach, and all the subsequent costs and reputation damage.

Employees

The main challenge with employees is how well they will engage with cyber awareness initiatives, and how much they will learn and remember for future use. Far too many companies book people in to awareness training without even thinking about why they'd want to do it, and then the training totally misses the mark for hitting that 'buy-in' sweet spot. What's the sweet spot? Personal impact of course!

If you tell people they're going to do awareness training because cyber criminals might trick them and hack the company, there's probably not a lot of care factor. IT Support / Cyber Security looks after that! But if you tell them that what you teach them will give them amazing insights into how to keep their own money and private information safer, suddenly it's a different ballgame.

So tell people what's coming up, but focus on what's in it for them, and their family. Of course everything they learn is relevant to keep the company safer to, so it's a win-win. Get people excited, give them great training, and reap the risk reduction rewards!