The Impact of Digital Incompetency on Cyber-Security Initiatives
Mark Lanterman | September 20, 2019
Within any organization, it is often apparent which employees are technologically adaptive compared to those who regard technology as a necessary evil. Even with today's high degree of technological utilization, it is frequently an acceptable or dismissed fact that information technology (IT) is forced to spend a large amount of time teaching and reteaching simple technological lessons.
Whether it's trying to reset a password or utilize a feature on a company-used software tool, employees are sometimes unable or hesitant to learn about technology without heavily relying on IT. This inability extends to cyber security.
Instead of proactively learning about an organization's policies regarding cyber threats, employees think of cyber security as IT's responsibility and refuse to participate. This inability is a day-to-day time waster that can ultimately impede growth and the improvement and implementation of internal cyber-security policies.
Digital Change Is Necessary to Achieve Digital Goals
Without digital competency, the kind of growth and convenience that can be afforded by the Internet of Things (IoT) is greatly diminished. Consider an organization that is trying to implement a company-wide software tool designed to organize and facilitate internal communications. All employees are expected to use the tool efficiently and learn its features. For this tool to be effective, a basic digital competency is required by each employee to adequately research and explore the features without overly depending on IT for assistance.
Furthermore, digital change needs to be regarded as a positive movement within the organization. Acknowledging a learning curve is to be expected; regarding a potentially valuable tool with suspicion will restrict progression. Attracting technology-minded employees is critical for an organization's growth and overall ability to be digitally adaptive.
A lack of digital competence within an organization comes with a wide array of cyber risks. As illustrated in the previous example, failing to learn a new software tool can cost an organization time and money. Overdependence on the IT department may prevent the achievement of overarching security goals. Misuse of social media platforms can cause severe reputational damage. The convenience offered by increased utilization of the IoT and "smart" devices may be greatly reduced, putting an organization at a competitive disadvantage. Within older organizations, being digitally adaptive may require even more persistence from upper management in ensuring the value of employee training and recruiting processes.
Digital Competency Helps Secure Digital Security
From a security perspective, digital competency is the bare minimum when it comes to understanding and enacting best cyber-security practices at an employee level. Recognizing threats and proper reporting requires a personal working knowledge of technology. For example, a technologically adaptive employee is going to have a much greater chance of recognizing a phishing email and, therefore, avoid becoming a victim. Across an organization, IT departments that are not overburdened with small tasks are better able to implement cyber-security policies and respond to potential threats.
Ensuring Compliance Must Come from the Top
I often refer to the need for organizational "cultures of security" in which security is regarded as a daily top priority and not a box to be checked at the end of a mandatory training session. Developing this type of culture requires top-down management buy-in, especially when it comes to new policies. The IT department should never be considered solely responsible for security; rather, upper management should stress that cultures of security require everyone's engagement.
All Need to Be Vigilant
It should also be acknowledged that those who have grown up with technology are not necessarily going to be the most digitally competent individuals in the office. In addition to understanding the basics of technology, I also consider high degrees of discretion and awareness to be elements of digital competency. For example, recognizing the impact of social media use as a very important aspect of representing an organization may be something that needs to be incorporated into security training sessions.
The risks associated with digital incompetency are often disregarded due to their frequency. However, with time, wasted efforts can amount to extensive damages, especially when they affect cyber-security culture.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
