Cybersecurity Policies: The Challenge of Employee Buy-In

Cybersecurity is important – everyone knows it. At this point it’s like saying the sky is blue, or that it’s impossible to eat a Hot Pocket without burning your mouth – it doesn’t even need to be said. Yet despite the fact that nobody debates the significance of cyber security in the business world, employees always seem to push back. Why is it so challenging to get employees to buy in to these policies? And what can be done to improve adoption and acceptance within your own organization?

Understanding Why Employees are Resistant:

When it comes to new cybersecurity policies, employees are always the most hesitant. Whether overtly or through gritted teeth, they often resist. Here are the common reasons why:

• Inconvenience. It’s the lack of convenience that gets most employees. For better or worse, they’re far more concerned about their own comfort and efficiency than the security of the organization. In fact, security vs. convenience is something we all deal with in every area of modern life.  Being aware of it is the first step toward tackling this issue.

• Change. Generally speaking, most people aren’t fond of change – especially when they can’t control the change. If you’re implementing a new security strategy, a certain percentage of your employees won’t like it regardless of the benefits. In their eyes, change is bad – and that’s that.

• Privacy issues. Cybersecurity strategies are designed to protect your employees and the company. But ironically enough, they often require employees to give up certain personal information – like fingerprints or personal identification numbers. If you aren’t careful, employees may actually see an advanced security policy as an encroachment on their personal privacy.

• Lack of perspective. Sometimes employees are resistant simply because they don’t understand. Either they don’t understand how the policy will improve the current situation, or they don’t see a need for cyber security at all. Sometimes this comes out of a place of arrogance, while other times it’s the result of genuine ignorance.

When you understand why employees are resistant to adopting a new cybersecurity policy, you at least have some context that enables you to make smarter, proactive decisions. From here, it’s all about implementation, oversight, and accountability.

5 Ways to Gain Employee Support:

Gaining employee support is a nuanced challenge that requires personal relationships, finesse, discipline, and a willingness to be grounded, yet flexible. Here are some suggestions for improving employee support of your new cyber security strategy:

1. Explain the Why

According to a study of 500 office workers, two in five employees click on links or attachments that they don’t recognize. A separate study reveals that 25 percent of employees leave their computers and devices unlocked when they leave their desk. In other words, there’s a serious lack of understanding in regards to security best practices. Simply throwing a new policy at employees won’t alleviate this fundamental flaw in their understanding.

“Make it clear to employees how their actions can directly affect the overall company’s cybersecurity,” security expert Kayla Matthews writes. “When employees understand that their individual cybersecurity compliance can better the company as a whole, they may be more inclined to avoid risky digital behavior.” 

2. Give Employees a Say

When an employee feels like something is being forced on them, their natural tendency is to push back. Some employees may even be combative and willing to rally other coworkers to resist. As an employer, this is a tough position to be in.

In these situations, your best bet is to involve employees in creating solutions and to give them some autonomy in the process.

“A highly effective change management strategy is to focus employees on the main challenge and to then involve them in identifying solutions and creating their own action plans,” professor Karl Moore explains. “This gives them a feeling of control over their work and a sense of ownership.”

Ultimately, the cybersecurity strategy is yours. But by giving some of the control over to your employees, you make it feel like a group effort.

3. Provide Proper Training

Employees who don’t understand how to abide by the new cybersecurity policies will quickly become fatigued. And when employees are tired, they’re less likely to put forth the effort to follow through.

Make sure you’re investing in proper training. For new employees, this training should occur as part of the onboarding process. (This makes the policy part of their new “normal.”) For existing employees, on-the-job training is usually better than classroom instruction. It feels less academic and more practical.

4. Reward Compliance

Sometimes employees need a little kick in the rear. You can motivate them by rewarding compliance and swiftly reprimanding violations.

Gamifying cybersecurity compliance can remove some of the weight of the topic and make it a little more engaging and approachable. Consider dividing your employees up into teams or pairs and giving out points based on how well each individual.

For employees that refuse to buy in, you can’t be afraid of following through with consequences. If you don’t, you’ll find that certain aspects of the policy are treated with disregard. Initially, it’ll be small elements. Over time, employees will become more careless and bold with what they choose to obey.

5. Lead by Example

As a general rule of thumb in every area of business, never expect employees to do anything that you aren’t willing to do yourself. In fact, you probably shouldn’t expect them to do anything that you aren’t already doing (or have already done in the past).

When it comes to cybersecurity, lead by example. Follow the rules exactly as they are and expect the same out of your employees. Communication and transparency are vitally important. 

Embracing a Secure Future:

At the end of the day, you aren’t developing a cyber security strategy to make your employees happy. You’re doing it to protect the organization’s best interests. While employee buy-in is paramount, don’t compromise based on their resistance. Employees need to adapt to the policy, not vice versa. With a purposeful approach, you can make this a much smoother process.