By the time I realised I may have entered the password for my government hub account into an illegitimate internet site, the dread started to settle in and I scrambled around for a phone number to call. This government hub is a place where users are able to connect personal services and transact with government agencies online, such as the national healthcare system, taxation information, and many other services. In other words, personal and private information.
I located a phone number and called but was placed in a queue. Instinctively I felt this couldn't be right, so found another number. Bingo. Within about 10 minutes of clicking an embedded link I was on the phone to the support team, and very thankful for it! As we talked, hackers were in my account and had already left traces of getting their attack underway. I was offered additional security measures which I gladly took advantage of and escaped relatively lightly.
I had given the hackers my password voluntarily because of a perfect storm of circumstances. The government hub had recently changed its branding quite radically, it no longer looked like other government services, but had adopted different colours and a very informal look. The email containing the deadly link read exactly like legitimate emails I had received before. I was regularly working on a VPN, and wasn't alarmed by being diverted to a proxy site for sign in. I also didn't know whether this was part of the rebranding. It wasn't. Of course it wasn't! The screen I was presented with looked legitimate, it was branded and on point. I was sent a text with a security code from the usual phone number, and the code was accepted.
What alerted me to the problem was one small and strange misuse of English on the wording of the site. Very slight and very subtle, but it was enough. I stopped, went back to the email and dug deeper. The email address had been cloaked but upon uncovering it, alarm bells rang. Unfortunately by then it was too late - clicking the link in the original email was all it had taken and the attackers were already on their way in.
Where technological advancements and organisational changes are the norm, businesses face a dual challenge: managing change effectively while safeguarding against cyber threats. Change management and cybersecurity may seem like separate domains, but they are intricately intertwined, with each exerting a profound influence on the other.
Understanding Change Management
Change management is the structured approach to transitioning individuals, teams, and organisations from a current state to a desired future state. It involves meticulous planning, communication, and execution to mitigate resistance and maximise adoption of change initiatives. Whether it's implementing new technologies, restructuring processes, or adapting to market shifts, change management ensures that organisational changes are smooth and successful.
The Cybersecurity Imperative
Cybersecurity encompasses the strategies, technologies, and practices designed to protect digital systems, networks, and data from unauthorised access, breaches, and attacks. Cyber threats loom large and can be potentially catastrophic. Organisations invest significant resources in fortifying their defences against malware, phishing attempts, ransomware, and other cyber risks. However, the evolving nature of cyber threats demands a proactive and adaptive approach to cybersecurity and customer awareness.
The Intersection of Change Management and Cybersecurity
1. Human Factor: Social Engineering: One of the most prominent intersections between change management and cybersecurity lies in the realm of human behaviour. Social engineering, a tactic employed by cyber attackers to manipulate individuals into divulging sensitive information or performing actions that compromise security, preys on human psychology. Change initiatives often disrupt established routines and norms, creating fertile ground for social engineering exploits. By integrating cybersecurity awareness and training into change management programs, organisations can bolster resilience against social engineering attacks.
When organisations strengthen their cybersecurity, they need customers to be aware. I learned after reporting the attack that the organisation involved no longer sends links to customers in email messages. I wish I had known that prior.
2. Risk Management and Governance: Both change management and cybersecurity include risk management and governance processes aimed at identifying, assessing, and mitigating risks. Incorporating cybersecurity considerations into change management frameworks - and vice versa - enables organisations to evaluate the security implications of proposed changes and implement appropriate controls to safeguard against potential vulnerabilities. Conversely, cybersecurity risk assessments can inform change management decisions by identifying potential impacts on security posture and guiding prioritisation of change initiatives.
Had this organisation's branding change to far less formal visual assets lowered the psychological barriers to dealing with official communications? Had this risk been identified and assessed during the change initiative?
3. Technological Integration: As organisations adopt new technologies and digital solutions to drive change and innovation, cybersecurity considerations become integral to the deployment and integration of these technologies. From cloud migration to enterprise-wide software implementations, changes in technology infrastructure introduce new attack surfaces and security challenges. By incorporating cybersecurity principles into the design and implementation of technology-driven change initiatives, organisations can proactively address security risks and enhance resilience against cyber threats.
Data is both an asset and a risk. While it may seem 'the more the merrier' where it comes to customer data, if organisations are holding data they don't need, they are holding - and creating - unnecessary exposure.
4. Communication and Stakeholder Engagement: Effective communication and stakeholder engagement are fundamental to both change management and cybersecurity. Clear and transparent communication fosters understanding, buy-in, and collaboration among stakeholders, facilitating successful change implementation and cybersecurity awareness. By aligning messaging and engagement strategies, organisations can cultivate a culture of security consciousness and collective responsibility, strengthening defences against cyber threats and reinforcing change readiness.
No-one wants the situation where we can no longer apply common sense to circumstances that seem to require empathy. Our humanity can't afford to promote complete shut-down and refusal to help for fear of being socially engineered.
Organisations that hold data need to understand the burden of responsibility to keep that data safe. Effective engagement and communication with customers and stakeholders about cyber safety throughout change is key.
The intersection of change management and cybersecurity is increasingly evident. By recognising the interconnectedness and adopting an integrated approach, organisations can enhance their resilience to both change and cyber risks. From addressing social engineering vulnerabilities to integrating cybersecurity into change processes, proactive collaboration between change management and cybersecurity functions is essential to navigating the complexity of organisational change involving digital assets. Embracing change management in technology projects empowers organisations to adapt to change effectively while fortifying their defences against cyber threats. This helps to safeguard their customers, assets, reputation, and future success.
Agencia Change is an online change management specialist. For more information on how we can help with your digital change, click the link below.
Comentarios