Working on the front line of healthcare research and policy analysis, the 120 staff at the independent charity The Health Foundation are privy to large amounts of sensitive information. The arrival of a new head of IT two years ago prompted a review of IT security strategies that not only encompassed technical aspects such as passwords and firewalls, but also the people risk and behaviours needed to create a cybersecure organisation.
"We hear about cyber attacks and breaches all the time, and we felt it was an issue we needed to take time to address properly," says head of HR Patsy Mills. "We have a close working relationship with IT, and we agreed that HR would take the lead on changing employees’ behaviour through training."
With mandatory cybersecurity training all too often regarded as a tickbox exercise, and not properly embedded in organisations’ principles, the foundation decided it needed to take an approach that would change attitudes for the long term and, given its small size, become self-managing.
Mills and her team began by telling staff about the security review, before hosting initial awareness training sessions that included a "live hack" and related the relevance of cybersecurity not only to their jobs but also to their personal security. Mills then worked with the consultancy Layer 8 to look at each department’s data and deliver appropriate training and guidance: "We had to challenge their behaviours and say: ‘We know this is a convenient way to hold data, but is it the safest way? Is it the responsible thing to be doing?’"
Emphasising the people behind the data also helped staff get on board more quickly. "We saw greater progress at The Health Foundation than at other organisations because their employees genuinely care about their customers," says Sarah Janes, managing director at Layer 8. Establishing a network of champions helped to maintain the conversation about cybersecurity and make the project self-sustaining, she says.
Nearly 18 months on from the initial IT review, the organisation has seen a genuine change in employees’ behaviours. "We sent out a phishing email [an email that attempts to trick people into sharing personal information], and the results were a marked improvement over the initial test," says Mills.
Playing the long game, and giving staff time to absorb training and change their behaviour, paid dividends, she adds. "We undoubtedly could have done this more quickly. But we needed to integrate security into our way of working, so it became normal. We had to create an ongoing dialogue with employees before we did any training, and it seems to have really worked."
There is more training and improvement to come, says Mills: "We see cybersecurity as essential to our values. In the future, it will be a core piece of training, in exactly the same way that we have diversity training, because it’s so important to how we work. We can’t afford to get this wrong."
This article first appeared in People Management