I live in Chicago. For 5 months out of the year, if I want to go outside I have to give myself an extra 5-7 minutes to add all the extra protection from the cold that I need to be comfortable (and even then I’m not really comfortable, if I’m being totally honest). If you live in a warmer climate, you still have to be attentive to slather on the sunscreen before you leave the house (you DO use sunscreen every time, right?). It’s not as intrusive as donning a sweater, coat, gloves, scarf, hat, and boots, but still a time-consuming delay to reaching the goal of going outside without harming ourselves.
And so it goes with security measures in any business or organizational setting. We try to tell our users that they need passwords/MFA/any security, but they push back saying things like:
If you have said one of these, if your client has said one of these, if your staff or boss has said one of these, or if any combination of those people have said or will say one of these objections – this article is for you.
Our tolerance for sitting quietly and waiting has been diminished to near zero; users just want to “get to work” without the hassle of having to jump through security hoops. They are tired of having to create and recreate passwords. They are tired of having to look for their phone that they set down somewhere so they can find that MFA code in some authenticator app they can’t remember (some of us have a few authenticators on our phones) and, well, the result is more than just MFA fatigue. It’s security fatigue!
People are creatures of habit. We like the familiar. We get lulled into the inertia of the “it hasn’t happened so it won’t happen” mentality. We think that just because it can’t be pinged, it’s secure. And we are sure that nobody is interested in us enough to hack us.
Admittedly, there was even a period of time that I could tell my clients that they were inconsequential in the world of hackers. Until ransomware showed up. That changed everything. Well, everything for me. For my clients, well, they still were not completely convinced. Let me tell you, there were more than a few Hold Harmless riders signed in my practice.
Unless we pathologically stop trusting others and opt to live with only air gapped computers, we are all potential targets. And even if you’re air gapped, it is *still* possible to suffer an attack if someone uses an infected peripheral.
Still, it behooves us to bring our users along on the security & compliance journey; a task made that much harder when the users are resistant to any inconvenience. That’s when your people skills have to take over. That’s when you have to figure out how to change minds.
This is no small task. I know you’ve tried to teach your users to ignore text messages from “the president of their company” and you’ve done your level best to keep them from clicking those ransomware-infected emails. But that’s not the kind of change I’m talking about.
When it comes to instituting a security program in your company, a broad-sweeping, identity-protecting program is where you probably feel the most pushback. The boss wants to secure their data, but they want to do that without being inconvenienced. And they want to squeeze every bit of work time they can from their employees so if a security solution takes too much time, users will complain.
OK, fine, yes - people will always complain. But too much pushback can be destructive. For your sanity and to increase willing compliance with security measures, you want to explain in simple terms why MFA (for example) is important. Use as many analogies and metaphors as you can, to help hammer the intent of the technology home without getting overly technical in the reasoning. Remember that while you are a technologist, the most important thing to your user is their work, not yours.
Talk to them about comfort. While walking around like Ralphie from A Christmas Story isn’t comfortable, it is certainly more comfortable than being frostbitten in -5º temps . Empathize with your users that while finding that MFA code isn’t comfortable, it is more comfortable than being responsible for a data breach of all your customers’ PII. Enlighten them with data showing how many attempts to log in as someone else are made and blocked. Instill in them peace of mind that their hard work is protected because of MFA.
Talk to them about safety. Like applying sunscreen is a safety measure for fending off skin cancer, so is instituting an identity management system that includes various security measures for fending off data breaches. It can be cumbersome, but the protections are worth the minor inconvenience.
Your job is to secure the data and protect the company. How you get users to cooperate is a choice you make. You can use a too-bad-so-sad, get-with-the-program, my-way-or-the-highway method. This method is guaranteed to win you exactly zero friends and will erode any trust they have for you.
Or you can summon up all your EQ and talk with your users. I get where you’re coming from, but before you can convince them that your way is the best way, you have to show them that you understand their point of view. Don’t diminish their fear or discomfort. Instead, seek to validate their feelings. It will help them trust you which, in turn, will help you get their cooperation.
“I hear you and I agree,” should flow from you easily. Your users want to be heard, not bossed around. “I wish it were different but, unfortunately, the world is filled with bad actors and we are all at risk. Let me help you protect yourself and the company,” or something like that will gain more traction than being bossy.
Finally, show them the rollout plan. Show them how the changes will impact their day-to-day world. Show them how to get through security easier. Provide training sessions. Create a simple, screenshot-heavy how-to document. Refrain from taking over the keyboard or phone when they’re not understanding; guide them through using their tools.
Users won’t become security experts, but they’ll become expert at doing what you teach them to do…and that’s the best outcome.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.