surfers on longboards in the water
PHOTO: Johny Goerend

On May 10, an internal IBM memo was leaked to the press which put an end to employee use of removable portable storage devices, such as USBs or Flash drives, for data transfer. Big Blue said it would begin implementing the policy over the next few weeks throughout its worldwide offices. The reasoning given for the move was to minimize "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices." Employees were encouraged to use IBM’s internal intranet to move data around. The memo acknowledged the decision might be disruptive to some IBM workers.

As it turned out, it was right. Employees started grumbling, according to press accounts. After the memo was leaked, one UK publication, The Register, reported that, “Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions.”

Let’s state the obvious: A company has the right to insist on protocols around the use its data, especially security processes. Where IBM might have gone wrong, though, is in how it went about trying to wean its employees off of these devices — that is, by issuing a memo and giving employees very little notice.

A Seemingly Easy Directive

At face value, IBM’s decision to remove memory devices like USB sticks from the workplace would seem like an easy change to make. The staff is well-versed in technical requirements and aware of the necessity of obeying security directives. Staff also had a well-developed intranet to use instead. 

But when there are hints of a rebellion among employees even in these favorable circumstances, it begs the question of how a company can bring about or coax change in a workforce — especially around security procedures — when the constant warnings about threats and risks can easily morph into white noise for workers? In short, even well-informed, IT-savvy knowledge workers can resist change that at some level they know is for the best.

Start With Education

“People will try to get around the changes you’ve made,” said Richard Henderson, global security strategist at Absolute Software. Sometimes it’s unintentional, he said, people just want to remain in their comfort zone. But some employees will intentionally try to circumvent the changes put in place, he said. Other workers might take a passive-aggressive approach and just ignore the continued reminders and updates about upcoming changes until the very last minute. “Your strongest weapon to combat all this is education: people need to understand why the change is happening, why it’s important to the business and why it’s critical that they comply,” Henderson said. “Most reasonable people, while not happy with the change, will begrudgingly accept it if you can provide them with a strong and well-explained justification for it.”

But that is just the first step. Companies need to follow through with continued reminders and training if necessary, he said. And sometimes, even that is not enough. What follows are suggestions for any company that might find itself, like IBM, trying to figure out how to get its employees to make a necessary change in a workplace habit.

Plan For a Slow Transition

It's important to give your employees time to change their habits, Steve Wang, founder of Mock Interview said. “However long you think the transition will take, it'll likely take twice as long.”

Think of It Like a Marketing Campaign

Dennis Dillman, COO of PhishLine, a security training platform owned by Barracuda Networks, suggested companies develop a security awareness initiative to remind employees about its importance. “Think like a marketer,” he said. “How can you articulate this in a way that employees will remember and embrace?” He suggested giving your initiative a theme, such as ‘Shields Up,’ and then incorporate that theme into existing programs. “Place internal procedures for reporting security threats, spam or phishing in a ‘Shields Up’ tab on your company intranet,” he said.

Make It Part of the Hiring Process

Emphasize security during the hiring process so employees understand it is part of the culture from the start, said Nik Vargas, CTO of Switchfast. “Include it in the employee handbook prominently and make it part of any documents they sign as they come on board.”

Have the Message Come From the Top

You don’t want change management of this magnitude coming from a mid-level manager, Vargas said. “You want the message coming from the C-level, the ownership of the company. This is the person who needs to tell employees that ‘this is important to our organization and here is why.’”

Explain Why – and Make It Personal

Any change you introduce needs to come with an explanation. In the case of security, the explanation should go beyond merely ‘it is safer to do it this way.’ "You want to make the explanation personal," Vargas said. For example, if you are talking to the HR department, "you might tell of a situation where an email came in to HR purporting to be from the CEO asking for all of the workers’ W-2s and because the employee didn’t notice it wasn’t the right corporate address, as a result all of the employees’ personal information was compromised." Or, if you are talking to customer service reps you might tell a story about how a rep clicked on a link he shouldn’t have in a phishing email and as a result unleashed a virus that exposed customers’ information. "These are scare tactics, of course, but sometimes that’s the only way to shake up people who are stuck in their ways," Vargas said.

Plan for Exception Handling

There are always going to be exceptions to the security rules, said Absolute’s Henderson. “Other employees will feel like you are playing favorites and that can create a divide between staff.” Henderson advised companies to be able to validate and justify exemption requests as well as add additional layers of protection for those specific users to mitigate any increased risks.