Maintaining workplace safety can seem like a rare form of torture--videos and quizzes and talks and such. For most of us, it's a necessary chore. But despite the looks among employees with each new H.R. training session, the work that happens in those conference rooms at least in theory translates to profits.
The inoculation process of onboarding a new hire is profoundly important to the proper functioning of any organization. Never before have there been more actionable sensitivities and special needs, all of them calling for empathy and action in the workplace. Safety is important. People don't work well when they don't feel secure.
Creating an environment where employees feel safe takes many forms: It can be as simple as the correct placement of fire extinguishers, smoke detectors and alarms and/or providing employees with tips for monitor placement, or it can involve shock-absorbent flooring. Of course, it also involves the establishment and policing of an organization's social and cultural norms. Google has taken this to the next level with its steps to ensure psychological safety to prevent employees in teams from feeling insecure or embarrassed. (If the company's utter dominance in nearly every Internet-related field is any indicator, the strategy seems to be working out for them.)
Notwithstanding the Google example, it would be a stretch--and possibly an actionable H.R. error--to describe as "sexy" the various manifestations of workplace best-practices.
H.R. departments are in the business of minimizing the use of trigger words. When someone in the room says that this or that profitable situation is "sexy" there are other words that can carry the same amount of water--for instance, "exciting" or "awesome." Basically, that word, for some demographic types, means "super cool," and can be applied to the purchase of a new car, a new smartphone or bagging a multi-million dollar contract. No champagne, no smoke machine.
Enter Tall, Dark and Cyber Safe
Where cybersecurity is concerned, many employees have a sort of click and pray approach. It is not a method that inspires a great feeling of security. Add to that the reality of doing business today. Businesses and employees alike live under constant threat of the fallout from someone--maybe even the child of an employee that brings their own devices to work--clicking on the wrong link, opening the wrong attachment or mistakenly creating an unsecured database containing sensitive information.
The cause of the next corporation-killing megabreach could be on any machine in the workplace just waiting for an uninformed or distracted employee to activate it. The answer is in the H.R. department: cyber is a cultural issue. One of the norms of any properly functioning organization must be the propagation of a culture of cybersecurity. A growing trend in employment benefits is employee-paid or voluntary cyber awareness programs coupled with identity theft resolution and identity monitoring services.
The numbers are grim. Eighty percent of businesses expect to experience a data breach before the end of 2019, and more than half of small and mid-size businesses were breached last year (and that's just the organizations that are aware something happened). Meanwhile, the cost of a breach keeps climbing steadily, especially when lost customers, fines, and lawsuits are added to the total.
It's an all too common scenario: undersized and demoralized IT departments sprint from one crisis to another, while H.R. departments fail to grok that cyber vulnerabilities are an existential threat on par with a gas leak in the office breakroom. The overlap between workplace safety and cyber safety is significant--in fact they belong under the same rubric: Safety. At issue too often is the failure of an organization to identify cyber vulnerabilities and then deploy H.R. to train them into submission, thus minimizing the exposure.
The 3 Ms for Business
Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they're connecting to the company network remotely. It's often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails.
Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it's important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport.
Manage the Damage: When it comes to a compromise of your company's identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR's 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey's Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.
If safety isn't the most exciting thing on earth, profitability is, and any company that doesn't devote significant resources to keeping employees current on the cyber-front will at some point have to ditch productivity (and with that profits) while their most valuable resource--humans working for them--recover, and bear in mind, that can take a very un-sexy 100-200 hours.