I recently checked into a hotel. During the process, a receptionist asked for my credit card so that my details could be stored in their booking system. However, since it was not part of his regular role, he wrote down the details on a post-it note so that a colleague could enter the data into the booking system the next day.
My first reaction was to stop the receptionist from taking down my card details in that manner, but the potential embarrassment of “making a scene” stopped me from acting.
On reflection, I felt justified in my initial reaction. I would be kicking myself if my bank account was emptied consequently, especially since I had the means to prevent it, but chose not to. The reluctance to speak up for something that could be misconstrued as making a mountain out of a molehill is ultimately an enabler for bigger, riskier practices taking shape and manifest. These potential “near misses” can result in data breaches, yet we do not do enough on a personal level to prevent and remain vigilant. Take, for example, TSB’s guarantee to reimburse all victims of fraud. Are they incentivising the right behaviours if there is no threat of loss?
Given my background in Oil and Gas, I see a lot of similarities and potential approaches that can be applied to improve cybersecurity/data protection vigilance at an organisational level. A set of tools that weaves accountability and personal responsibility for being vigilant into the culture of the company.
The safety approach – Lost Time Incidents
A lost-time accident (LTI / LTA) is an on the job accident that results in an employee being absent from the workplace for a minimum of one full workday. An LTI is an important operational metric that is consistently measured and typically forms part of a company’s corporate scorecard. But why? Investors do not look at a company’s LTI before investing, so why do companies measure LTIs? Because the worst-case scenario for an LTI is a loss of life. Even one event that leads to a loss in life is too much, and as such, the industry spends a significant amount to train staff in the aim of improving LTIs and preventing the worst from happening. The same approach and messaging that is used for LTIs can be applied and adapted to improve vigilance around data and cyber protection.
It is everyone’s responsibility to remain vigilant
In construction-related industries, safety communication and engagement are applied in equal measure whether in the office or construction site. After all, a home-based admin person may suddenly be placed onto a construction site and inadvertently cause an accident. Thus, training should be provided to everyone in the company, as roles can change swiftly, and protection against cyber-attacks/data breaches is only as strong as your weakest link.
Near misses are just as important
LTIs are the tip of the iceberg in understanding safety performance. Companies also report “near misses” and “unsafe acts”, which at any point could have resulted in an LTI or a fatality if certain conditions had coincided. A typical illustration of how LTIs are displayed (often is referred to as a “Heinrich Triangle”) is shown below and can be applied to data breaches.
To get staff to record and capture near misses, companies adopt a range of techniques from conducting “safety moments” at the start of all meetings to recording and reporting through near miss forms. Staff should be taught to spot near misses and understand the importance of capturing the information. Addressing and preventing near misses reduces the chance that something at the top of the triangle will occur.
Incentivise improvements to recorded metrics
Safety metrics are typically weaved into performance bonus packages so that employees are incentivised to talk more openly about the subject and make the concept of being safety conscious part of their daily life.
By building a mechanism to incentivise employees for improving the important metrics, a company can spread a message more successfully. An incentivisation programme can be designed to tie in with behaviours for which employees have personal responsibility, not the result. Rewarding accident-free results without recognising the underlying behaviour that led to the employee’s safety record means you’re just as likely to reward an employee for being lucky as you are for being safe.
Purple will be rolling out a series of events in September and October aimed at supporting technology leaders with cyber, data protection and risk agendas. The events will provide you with the tools to sell your agenda to the board and improve engagement and adoption within your workforce.