Sunday, November 11, 2012

Take care of your human risk factors first

What is the biggest risk to the longevity of your business? I have asked that question of a few people recently and the most common answers are earthquake, fire or flood. But in reality, while those events, if they happen, are huge threats to the ability of your business to continue, without good planning in place,  the far bigger threat walks around your offices on two legs.

© jamdesign -
Have you considered that the Network Admin who has all your passwords written on a card that he carries in his wallet might potentially be opening your business up to a massive threat if he happens to leave that wallet on the table at a cafe one day?

How about the application expert who can fix user issues at the blink of an eye, but never shares any of his knowledge with his colleagues, or documents it in the knowledge base...what happens if he throws his toys out of the cot one day, walks out and leaves, taking all his acquired knowledge with him?

And what about the person doing data entry on your accounting system who leaves the username and password for the application on a post-it not on the edge of the computer monitor...and the technician whose job it is to check that your UPS backup is ready to go in the event of power failure, what  if he assumes that they are all OK without physically checking them as scheduled?

These are the threats that can derail your business in a heartbeat, and they are easier to counteract than the potential risk of earthquake or flood...when I originally typed that last sentence, I said that they were FAR easier to counteract, I took that out because anything that involves getting people to change is NEVER easy, but it can be done!

I had fun finding this pic...brought back great memories!
Firstly, foster a culture of trust. People who do not trust their employers are loath to share their knowledge. Being the only person who understands how to fix things, in their eyes, protects their job by making them indispensable. Some good old-fashioned team building can really help here. I worked in one IT department where we played a networked first-person shooter (if you are reading this you are probably a nerd, like me, so you almost certainly played it yourself) called Wolfenstein Enemy Territory...we would stay after work and have full-on battles well into the night, usually until someone's significant other called to find out why they weren't home. That built a great team spirit and we still fondly reminisce about those games when we get together now, over a decade later.

Make sure that your team understands the aspirations and culture of the business outside of IT, ensure that the IT department feels that it is part of the business, getting rid of the old 'them and us' ethos that has plagued IT and the business for so long. If IT cares about the business they will be more attentive to  situations that could threaten the organisation.

I know that gamification is a bit of a buzz word right now, and for good reason - introducing competition into the workplace can do wonders...IT workers are, by nature, a competitive bunch. Offer some good carrots, so hopefully you will not need a big stick. Incentives are a far more productive way to get the results you need than punishment. Encourage knowledge transfer by having a monthly competition for the best knowledge-base article, or the greatest number of 'approved' articles written.

Essential tasks, such as the UPS check or testing backups, can be made more visible. Put them up on a whiteboard, visible to the entire department - a bit like a sticker chart for encouraging good behaviour for a child. Everyone can see when the desired behaviour has been completed. If you want to add even more incentive, create a reward for the whole department when the action has been carried out successfully for a month - that way everyone will remind the person responsible. It takes six weeks to form a lasting habit, so if you can get that far you've won the battle.

Make sure that the tools that are needed to aid security are in place, such as password lockers, so that there is no excuse for careless use of passwords. Incentivise their use and take action where there is abuse of password security. If you have been able to install that feeling of belonging and loyalty to the business, then your team will understand the need to keep systems secure. This is not an area where you can afford to have lax behaviour.

Get those two legged risk factors under control, if you can take countermeasures against the human risk factor you will have gone a long way to protecting the business from avoidable threats.

No comments:

Post a Comment