Cybersecurity & Safety.

The 2024 Microsoft outage is an unscheduled reminder to use best practices in technology change.

The repercussions of the CrowdStrike update have us shook. The 2024 Microsoft outage is a timely reminder that rushed or mismanaged system changes can lead to chaos. How can you avoid the pitfalls of poorly planned technology changes?

Invite folks to the table.

First, consider the scope and implications of your change. Then ensure the right people are involved in planning, testing, and adoption. Identify and engage every group who might be affected by the change; solicit their input, identify impacts, and make sure you’re aligned.

• System Interdependencies: What other systems are involved with the system that is changing? Consider both upstream and downstream applications.
• Stakeholder Impact: How will this change affect the lives of employees, partners, and customers? How will they react? Ask questions, investigate thoroughly, and avoid making assumptions.

Consider the scope and implications of your change.

Test early, often, and thoroughly.

Experimenting and evaluating are crucial components of any change implementation. Test early, when it’s less painful to fix things. Test often, so you catch errors at each stage. Test thoroughly, so there are no surprises. Here are some essential testing strategies:

• Functionality Tests: Ensure the program/system is functioning as designed within the Sandbox environment.
• Platform Tests: Verify that the published program/system operates correctly in various live environments.
• Blind Individual Tests: Have individuals outside of the project team test the program/system to ensure usability and functionality from an unbiased perspective. Studies show that the closer you are to something, the less objective you are. Your brain automatically sees it the “right” way rather than the way it actually is.
• Stress Tests: Conduct stress tests to catch any defects early and minimize their impact on the organization and other stakeholders.

These protocols help identify and rectify defects early, ensuring a smooth and reliable implementation with minimal disruptions to your operations..

Timing is everything.

There is a long-running adage in the programming world – “Don’t deploy on Friday.” Some view it as a joke, others a jinx, but many consider it a must.

Risk management exists for a reason; no system is perfect, no team is perfect, so it’s prudent to plan accordingly. Not only do Friday deployments reduce the margin for error to fix an issue, but key stakeholders are often less available. This has implications for your team, but also your stakeholders, who might not see any communications or troubleshooting materials you share on a Saturday. Finding the right time to launch your change mitigates risk and improves adoption.

By incorporating these practices, organizations can better manage changes and prevent the type of widespread issues that resulted from the recent CrowdStrike update.

Sorry, I was on mute. Can you hear me? Great, let’s get started.

Virtual meetings are nothing new, but in the middle of the COVID-19 pandemic, they are the only way many of us can meet. Which means all the annoying, inefficient, and counterproductive aspects of working together, while apart, are magnified.

When people are in a room together, there are subtle visual and auditory cues that manage the flow of conversation. Online, we lose so much of that information. We talk over each other. We start and stop talking abruptly. Some people just choose to clam up. Because we aren’t in the same room, we can’t point at things, huddle around the same flipchart to add our ideas, or pass out information and tools to use during the session. Our virtual meetings are often inefficient and just plain awkward.

Here are some tips to cure our virtual meeting woes.

HOSTS

Be the boss. One person should act as host of the meeting. Tell folks how it’s going to be and maintain those new norms. Virtual meetings are harder to get right, so they need more structure and a firmer hand. Before the meeting, make sure everyone has the information and technology to participate. After you share your screen and confirm that they see it, show everyone the participant list and take attendance. Show them the agenda and walk through it. Tell everyone that you will build in engagement – how you will be using the chat and other shared spaces to capture all of their input, facilitate good work, and make sure everyone has the summary and clear action items after the meeting.

Chat them up. Everyone should keep the chat window open and use it. Encourage participants to chat their comments or “raise their hands” on chat. Read those comments and stop from time to time to ask participants to speak. Notice who’s not speaking OR chatting; call on the quiet kid in the back of the room to give that person the floor for a minute. At the end of the call, invite participants to leave any final comments in the chat, then make sure you capture those in your meeting notes.

And promote a little chat anarchy. During our internal virtual meetings at Emerson, we do a lot of socializing on the chat – greeting each other, joking around, and posting shout-outs and celebration. Even if it’s not strictly on-topic, that’s ok! You should allow the kind of connection that normally happens as people gather in-person.

Use your words. Even if you’re on video, your facial expressions and gestures won’t land the same way as when you’re in-person. So add a layer of words. Make sure everyone knows where you are in the agenda, all the time. Ask them whether they can see what you think they’re seeing. You can’t point at something with your hand, so use your cursor and tell everyone where you are looking and which item you’re talking about. Pause at critical points to confirm that everyone is with you. Also, capture on screen and online, agreements, issues, comments, and next steps.

Think outside the screen. Consider structuring your work differently. For example, if you would normally ask small groups to put their heads together during an in-person session, chunk up your virtual meeting: a set-up, a break for small group work on the phone or email, and then a sharing session so groups can report out virtually. What might have been a continuous session in-person could be conducted in smaller sessions over a two-day period.

End on a high note. Use humor. Congratulate someone or celebrate a win. Switch to a grid or gallery view, so everyone can see all the faces on video. Ask participants to answer a fun question in the last few minutes. Do this often enough, and it becomes part of your culture.

PARTICIPANTS

Get ready to work. Arrive ahead of time and test your audio/video. Make sure you’re in a quiet place – no construction, family activity, or barking dogs. And just in case, MUTE when you’re not speaking. True Story: one of my virtual meetings was interrupted by a rooster crowing outside my colleague’s window! To be fair, it wasn’t his rooster. But do try to make sure your next call is rooster-free.

Don’t just join the meeting; be present. This is really hard, but don’t multi-task. Would you be texting or answering emails if you were in a small group in-person meeting? Probably not. Follow your host’s direction, so you don’t lose track of the conversation. And engage! Have mercy of your poor facilitator. Nothing’s worse than that dead silence when they ask for a response.

Be part of the solution. Are you frustrated with the meeting process or see an improvement? Don’t resign yourself to it— let your facilitator know, one on one. Your input can help virtual work evolve to serve your organization better.

Virtual meetings are here to stay especially after the COVID-19 crisis. But virtual work can evolve and change. Let’s resolve to be better at virtual tomorrow than we were yesterday.

If you think technology is the answer to your organization’s cybersecurity threats, consider the following:

• Sending phishing emails to just 10 employees gets hackers inside corporate gates 90 percent of the time, according to Verizon Communications’ 2015 Data Breach Investigations Report. For the last two years, more than 2/3 of cyber-espionage incidents have featured phishing wherein attackers establish themselves on user devices and infiltrate the network.
• In the first half of 2015, malicious attachments became the go-to method for hackers to gain access, and a new stream of phishing attacks targeting businesses also began, according to a threat report from Proofpoint.
• The percentage of cyber-attacks targeted toward employees jumped from four percent in 2007 to 20 percent in 2010, according to a KPMG study. More recent research estimates that 40 percent of cyber-breaches could have been avoided had employees been aware of the risks and taken appropriate actions.

“The best technology on the market won’t help you if the bad guys get to your people,” says Mark Stone, CIO of the Texas A&M University System. Danny Miller, Texas A&M University System’s CISO, echoes that. “Even if you have the latest and best technology installed, one misstep by a user can throw it all out of the window.”

As more attacks are directed toward employees, many organizations are unprepared to react. They are also surprised by how difficult it is to change behaviors of the people on the front lines.

Here are five ways to transform your people from cybersecurity liabilities to cybersafety assets.

1. Realize it’s a change problem. 

Behavioral change is tough, and we cannot achieve a marked and long-lasting change with traditional communication, standard training, or mild promises of a better future. One reason is that these blanket approaches promote a diffusion of responsibility – people don’t think the problem lies with them. Think of sexual harassment and inclusiveness training; people attend courses because they must, but they think the training is targeted at someone else.

One chief security information officer confided that his biggest issue is that each department believes its own people are fine, and the risk truly sits with “the knuckleheads in other departments.” His question: how do we get people to understand that cyber risk is not a reflection on the integrity of the team; it is an individual mindset of vigilance to identify constant, undefined risk?

We can use behavioral science to help us. For example, research shows that we stay in a system until it no longer works for us personally. Economists and behavioral scientists Daniel Kahneman and Amos Tversky found that we feel the pain of loss more acutely than the pleasure of gain. So we unconsciously take greater risks and make bigger changes when confronted with painful situations. It’s why we stay in expired relationships and mind-numbing jobs. Until the pain is too great, we do nothing.

So how do we get people to feel enough “pain” to change? How do we get our colleagues, employees, and affiliates to understand that every one of us is a weak link and our current behavior is dangerous?

“Scaring people is a tactic that I certainly use to get their attention,” says Chris Walter, CIO of Central Garden & Pet. “Getting permission from employees who have been targeted and then using those real examples… That really resonates.” Some companies use internal phishing exercises. Through real-life stories and simulations, the employee understands viscerally that it can happen to him or her.

Jeff Dalton, Information Security Officer for the Bank of Marin recommends making it personal. “You wouldn’t want your personal information out on the web, would you?

Be prudent when you surf the web or click on something.

“Relate the experience to that individual level.” Mr. Walter says he helps leadership feel the urgency in a number of ways. “I tell the executives that the network we have is just as much a corporate asset as your plant. Imagine if your plant were hit by a tornado.”

2. Link it to culture. 

Culture is made up of the unspoken rules by which decisions get made. MIT professor Dr. Edgar Schein says that, when a group of people engage in a behavior and are successful, they repeat it. That constant repetition becomes culture. We might also think of culture as a collection of organizational habits. It’s a powerful force, perpetuated by the brand of the company. People choose to work for Google or Coke because something about that brand resonates for them, personally. And it’s tenacious; changing a culture is like changing the course of a river – it requires dynamite. It’s easier not to swim upstream, but to harness the power of that culture to change behaviors. We must link new behaviors we want to what the culture already supports.

Behruz Nassre, VP Technical Operations, Security & Compliance for TubeMogul, an advertising software company, directly links their security efforts to their culture. “There are two to three things that are important here. First, we train people that if they say they are going to do something, they do it. Second, we do things fast and do not reprimand failure. We send that message with our internal hacking attempts. If you fail, it’s OK so long as we learn from it and move on.” He also links their security efforts to the coding sprints their developers already do. “We encourage our programmers to look at security output as a reflection of quality rather than risk. In the same way there’s a bug and a fix; security bugs through static code or vulnerability are a quality feature to address.”

3. Make it familiar, controlled, and successful.

Familiar: We evaluate all new situations by comparing them to what we already know or experienced. If something is familiar and we judge it as safe, we are more likely to do it. As we try to change risky cyber behavior, consider what our constituents might compare this effort to, and create links that make sense to them. For example, in a health environment, caregivers vigilantly wash hands. Asking people to pause before clicking is the electronic equivalent.

When Patrick Wilson, Chief Information Security Officer and Associate Director of Clinical Applications at Contra Costa Health California implemented a mandated password format change, he said, “One metaphor I used was comparing the complexity of an eight-character password to walking across the Golden Gate Bridge. Changing it to 12 characters is like walking from the Golden Gate to the Statue of Liberty—it’s that much more difficult to breach.”

Controlled: In a chaotic world, we seek structure and predictability. We can handle devastating news, even a cancer diagnosis, if we know what to expect and have specific actions to manage our situation. We must design cyber programs with this in mind. In many ways, it’s like planning a typical IT deployment but for the employee’s experience, so you and they know what to expect and feel in control.

In the case of cyber risk, this starts with clearly defining the behaviors we need from our employees—what we what them to do (behavior), when they should do it (trigger) and the confirmation that it worked (reinforcement). And we must schedule these activities so they layer systematically, establishing new habits.

A program conditioning people to recognize undefined, potential hazard might look like this:

• Month 1: Recognize cyber risk generated by others.
• Month 2: Recognize the cyber risks I create.
• Month 3: Recognize risks inherent in my environment.

Each week would focus on one simple behavior, with the associated trigger and acknowledgement. Like so:

• Month 1: Recognize cyber risk generated by others.
• Week 1: Pause before clicking attachments.
• Week 2: Pause before opening external email.
• Week 3: Call IT if suspicious.
• Week 4: Tell the requestor you’ll call them back.

Successful: Finally, people adopt new behaviors if they believe they will be successful. In the research, it’s described as “outcome primacy” —our first experience has a “substantial and lasting effect on subsequent behavior.” (Journal of Experimental Psychology: General 142 (2): 476–488. doi:10.1037/a002955)0.. For example, if someone starts a diet and loses weight in the first week, he or she will continue the diet. We must engineer success for users, as they practice and start to use the right cyber behaviors – make sure they understand when they have done it right, then repeat that experience over and over so that the behavior is naturally reinforced.

As a leaders, we must engineer success for users.

4. Don’t communicate; focus attention. 

Many organizations create extensive communication programs, but each wave communication is competing for individuals’ attention. We filter out “noise,” and pay attention to what is clear and relevant to us. Our challenge then is to focus attention so that our information about safe cyber behavior gets through our people’s selective filters. One of the most effective ways is to get the organization “on-message” about the program, much like a political campaign. If team members can describe the effort passionately, without a PowerPoint, using their own examples, we win.

Think of the message as a square anchored by four words: one for the current situation, one for the solution, one for the method of getting there, and one for the result. For example, these words might be:

• Current: Vulnerable – Our current way of working is broken and we are at risk.
• Solution: Discerning — Employees should easily decide what’s nefarious.
• Method: Questioning — Employees should think about whether each action is risky.
• Results: Nimble — Our organization responds quickly and appropriately to relentless threats.

It’s imperative that key people agree on those words; the debate will help internalize them. The square shape helps too – visualization makes it memorable. Examples supporting the words must come from the team working on the message. And, as long as words remain constant, the team will be able to describe what they’re doing consistently in every conversation from the coffee shop to the boardroom.

Mr. Dalton underscores this: “Having them all in the same room and talking about it the same way – consistency of messaging. They have to lead by example so when I have senior staff and board room discussions, the message is always the same; they have the same frame of reference.”

5. Measure and benchmark behaviors.

It always comes down to accountability, both at the organizational and individual levels. Mr. Nassre uses a variety of tactics. “We put out a monthly security report to our execs that includes a product and IT perspective, and a physical security perspective. These are the number of machines hit by viruses, how they were hacked, these were the campaigns we ran, these are total number of people who clicked that shouldn’t have, these are the number of bad passwords we found. We’re looking at trends.

Mr. Wilson’s approach is similar. “We discuss the number of infections, number of inquiries regarding investigations, the number of computers needing to be rebuilt due to malware.” He added, “We do a lot of our own assessments internally. There’s a physical audit where we go to a new site each month and act as normal patients and talk with the local onsite management to discuss what they did extremely well and what they didn’t. Many organizations forget about the physical site.”

There are traditional benchmark sources like (ISC)2, SANS Institute and Brian Krebs. But, as Mr. Wilson observed, many organizations are overlooked by the larger benchmarking firms, and take inspiration from peer groups. “We meet with other facilities of the same size and revenue range.”

The importance of the right cybersecurity behaviors cannot be overstated. And pulling the right behavioral levers will make all the difference to your company’s security.

Published March 2016 by Security Info Watch