A security breach for a large company can be significant but is usually recoverable, by contrast an SME can have its business set back a number of years or even fold if significant losses, both financial and emotional, are incurred by a security breach.
In these turbulent times of continuing economic uncertainty and rising crime, SMEs are increasingly vulnerable to threats of attack from outside and inside the organisation. Awareness of threats is often limited and many SMEs only become aware of a threat after an attack has taken place and, even if traditional security measures are in place, there is always the human element where staff can make mistakes.
Research from top psychologists in the US has found that up to 85% of Executives find it difficult to speak up and report something to their superiors. Even if an SME has security hardware such as CCTV and firewalls and staff are trained to recognise security threats they may still ignore or not report an attack. In the field of psychology this is called Willful Blindness. What makes people Willfully Blind to a security breach? The fear of being admonished by a superior, being sidelined or branded as a trouble-maker are just some of the motivations for staff to bury their head in the sand like an ostrich. In Malaysia one top anti-corruption official has stated that it can take up to two years after training for staff to feel comfortable to report unethical activity in an organisation.
Increasing staff vigilance is a first step to making an SME more secure against attacks. Instilling the courage and confidence to both act on and report an attack is the next step. By nature SMEs should have closer knit communications than large MNCs and building internal relations with staff should create the confidence in them to report a security breach without fear of punishment.
The cliché of building trust by getting to know your staff well can be facilitated by interacting frequently face-to-face and increases the likelihood of effective reporting. ‘The door is always open’ is a form of leadership that should be encouraged particularly in Asia where staff may be more introverted and passive than in Western cultures.
To Err is Human
Research has shown that up to 80% of security breaches are the result of human, not systems, errors. So what happens if your staff becomes aware, through organized training or just an informal prep talk by the boss or department heads, of the threats that face your SME and are confident enough to report? What might happen is they start to see threats or attacks where they don’t actually exist. Either a state of paranoia or overzealousness to please the boss may kick-in. You may be faced with a tidal wave of over reporting so it is important for the leaders of your SME to be trained to be fully aware of the current threats and the future potential threats that are evolving. A second possible mistake your staff might make is not to recognise an attack that is occurring. Data shows that many attacks that are reported have been ongoing, sometimes for many months, and identifying the critical infrastructure in your SME, such as databases or restricted areas, then assigning responsible, key staff to be vigilant 24/7 on these is another effective security strategy.
How can a leader in an SME make their staff less blind to security breaches? Encourage critical thinking and courage in your employees. Asking questions is a key strategy for effective security. During meetings why not ask: Why is this person responsible for that? What is this person doing in that place? You may not always get the answers you are looking for but it will give you as a leader a better handle on what is going on in your organisation. If you are a leader who does not know what is going on in each part of your organisation then you may be blind to the threats to your critical infrastructure as well as warning signs of an impending or ongoing attack, so ‘leadership-by-walkabout’ can help.
Human resources are the life-blood of every organisation and even if you are faced with youthful or new employees who need training and time to become competent in their roles, their ability to identify warning signs of security breaches and have the courage to report them may just save your business.