Organisations are increasingly aware that their employees can represent significant risk. A single employee could, through just a few clicks, download millions of customer records or transfer vast sums of money from one account to another. In response, most businesses have processes in place which control and monitor their staff. This ranges from limiting access rights on IT systems and monitoring online activity to CCTV surveillance.
Such an approach, however, can be counterproductive. The evidence suggests that the majority of people are trustworthy. A recent US study of financial services fraud1 that even employees who become a security problem typically work for five years as a loyal member of staff before committing their first crime. For the majority, therefore, stringent regulation, compliance, risk and security thinking can raise questions about personal privacy and ethics. This leads to a perceived ‘them and us’ culture which removes responsibility for security from employees and may therefore create more problems than it solves.
Organisations can reduce their exposure to employee risk, while being careful not to alienate their most vital people, by building a security culture that concentrates on building and maintaining trust. In this way, employees come to understand and have trust in the measures the company is taking to reduce risk.
The following steps will help you to build trust within your organisation.
To support security or control measures, employees need must first accept that there is a credible threat and have a clear understanding of why these measures are essential. To achieve this, those instituting and operating such systems must be honest about what is being done; they should not bury it in employment contracts or IT operating policies. It also means putting proportionate checks and balances in place, focusing where it matters most and accepting that most people are trustworthy. To reinforce this, management must be prepared to challenge control measures that are unnecessary and remove measures that are redundant.
A high-performance culture is underpinned by shared and aligned beliefs and values and leads to employees recognising that they are the company. Building on values centred around integrity, security and trust develops commitment and challenges a culture of blame. These beliefs and values must be consistently role-modelled and evidenced in the personal behaviours demonstrated by senior leaders. Actively ‘living the values’ in the way in which leaders comply with agreed practices (or, correspondingly, erode them by acting as though they are exempt from them) sends a clear message to employees.
Achieving this culture takes more than putting a poster by a photocopier; people need social reinforcement from the norms of behaviour around them.
People want to be able to like and trust each other, they look to follow the social norm, and these traits can be used as strong informal levers to help reinforce the right behaviour. Reminding people that the majority do the right thing helps conformance. Making the ‘right way’ a social norm means a conscious decision has to be taken to deviate and this can be achieved by sharing stories across an organisation about the incidents that have occurred.
Achieving a deeper understanding of failures, how they were detected, and the implications for those who have been found out acts as a strong deterrent. However, such stories can also inadvertently provide information about carrying out counterproductive activity successfully so it can be sensible to leave certain details out. Learning from incidents may highlight where controls are unnecessary or ineffective. It may not always be the case that increasing controls is the right thing to do; getting behaviours right is inevitably more effective.
1 Insider Fraud in Financial Services', CERT Insider Threat Center, July 2012 (http://www.sei.cmu.edu/library/abstracts/brochures/12sr004-brochure.cfm).