We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
May 26, 2022
It’s tough to find a cyber insurer today who does not require their insureds to deploy multi-factor authentication (aka MFA) across their organization.
It’s well-understood to most agents that it’s now a “No-MFA, No Play” game, and without the average cyber insurance application gets declined. Try F2A.
There are many good reasons for this that I won’t get into now, and authentication is increasingly a key qualifier for basic cybersecurity controls. It’s fair to say that MFA is quickly becoming an expectation across the business community. It’s certainly an early topic of our cyber risk assessments, and it’s amazing to see how few companies who are otherwise cyber-responsible leave MFA deployment to the discretion of the employee.
While leading mail programs make MFA easily deployable for all employee accounts, surprisingly few administrators tick that box in practice. Still more troublesome is dealing with the multitude of software apps that require each user to individually enable MFA, and particularly dangerous are those which do not yet support MFA, which arguably are not usable in the present reality of cybersecurity chaos. Ultimately, this can present challenges to internal administrators and third-party organizations responsible for data security.
Implementing new cybersecurity tools and techniques can meet serious resistance. I follow and comment on a few Reddit topics, including their msp (Managed Service Provider) posts. These folks are on the front lines of working with clients to put these controls in place, and they’re facing this issue every day. I ran across one post last week that fascinated me, for several reasons;
Figure 1. The Reddit post on MFA Resistance
The post and its subsequent responses talk about a common theme; struggles in driving clients to do the right thing. The responses generally declare the solution to this problem is to mandate policy with an iron fist. Essentially, this means that The Boss must clearly, consistently and constantly articulate the need for cybersecurity controls to be deployed, and that one cannot be expected to do the job without this missing piece. We call this method of top-down enforcement F2A.
F2A is a useful, favorite acronym of ours. It is used when discussing appropriate degrees of organizational pressure from the top. This is better known as good ole fashioned foot-to-ass, and can be thought of in the way a drill sergeant pushes his soldiers towards submission. While not always successful on its own, F2A actually does has its place among other methods backed by research, theory and practical strategies to drive organizational change. There are several useful methods today to automate the push towards change, and the right degree of F2A can be a necessary component in driving cyber resilience throughout work organizations.
F2A can be effective when used in measured fashion. On its own, F2A is not singularly effective in driving positive, long-term organization change. It must be accompanied with well-articulated strategy, well-understood purpose, and some sense of buy-in for personal and professional utility. It should be applied gradually as an accelerator when needed, and used sparingly. It’s use should always be preceded by other proper methods to drive policy changes once properly teed up, making the ability to achieve fundamental change across employees real.
To drive change effectively, it’s useful to understand the key principles of some broadly accepted thought leadership on the topic of organizational change. Kurt Lewin is widely considered the “father of change processes” and theorized that people maintain status quo due to coexistence of both driving forces and restraining forces in a group. Driving forces advance a system toward change and must be increased; restraining forces impede change and must be decreased. Driving forces may include desire to win over one’s boss, increase productivity levels, gain recognition, increase compensation or solve problems impacting the company. Restraining forces can include reluctance to modify process, fear of the unknown, overconfidence and doubt. To best prepare a strategy for change, one must consider factors likely to contribute to driving forces, and seek to quash restraining forces.
Another useful area of research comes from Malcolm Knowles, well known for his contributions to Adult Learning Theory and the Theory of Andragogy. Adult Learning Theory stipulates that adults are self-directed and expect to take responsibility for decisions. Any learning program involving adults in the workplace must build upon this to be effective. Further, the principles of Andragogy proposes that process can be more important than content in the design of learning, and must consider that 1. Adults need to know why they need to learn something new, 2. They need to learn experientially , 3. Adults approach learning as problem-solving, and 4. They learn best when the topic is of immediate value personally, professionally or both. These frameworks explain that adults need to be involved in the planning and evaluation of their instruction, and their motivations are best shaped internally than externally.
Data-driven organizations find accelerated actions to be common, as data meets less resistance than individuals do. People don’t always respond to the initiatives of individuals, but when backed with irrefutable data, they tend not to oppose it.
Lets take a fictional SMB organization whose seen a few breaches in recent years, and two employees named Todd and Mary.
Carol may blame Todd, but well-presented data is nameless, faceless, has no interpersonal history and is irrefutable. The more data on hand, the better. As you develop your ongoing approach to the delivery of positive cybersecurity behaviors, good data presented on an ongoing basis will be your friend. Behavioral analytics can help you reward your best people for quick adoption, as well as illuminate where F2A must be applied and to what degree. Data has a funny way of exposing your biggest violators, who are often your principal resistors.
If you plan to deliver a successful rollout of MFA and/or additional cybersecurity controls to an organization that is not presently using these things today, there will be learning involved. As a result, there will be many steps that precede the installation of these solutions that the Reddit MSP folks are complaining about. Because of what we know about delivering an effective learning program, we recommend every leadership team take the time to come up with an action plan to get the fastest, most effective results. Any good vendor will help you with this, rather than complain after the fact about client resistance.
Your employees need to know that risks and costs are skyrocketing. You need their help to solve the problem, and you’re asking for their individual efforts to help solve it. You’ll need to proactively make this clear to make this fast and effective. Your people will need to understand personal and professional benefits of participation, and be seen as a problem-solver rather than a problem. Finally, you’ll need to use data to gradually understand the frequency and degree of F2A to address your problematic employees.
