Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


As U.S. office workers and employers weigh the pros and cons of returning to co-located workspaces, tough trade-offs emerge. Many people have grown so comfortable with remote work and now expect greater flexibility on flexible working from their employers, and some would rather quit than set foot in an office ever again. In this context, employers who insist that their workers return to the office are often portrayed as controlling retrogrades clinging to top-down management methods. What gets obscured by these arguments are the perfectly valid concerns certain employers have about keeping people close — and not least among them is cybersecurity.

All organizations are vulnerable

Just in the last few months, we’ve seen cyberattacks of unprecedented scale and audacity. The attack on information technology firm SolarWinds went undiscovered for months and led to security breaches in the U.S. government. A short while later, Colonial Pipeline paid a steep ransom in millions of dollars in Bitcoins to be able to resume operations after a week-long shutdown of service. In fact, the group behind the attack is back in the news under a new name, targeting companies with revenue of $100 million and more. Ironically perhaps, some of the same tools that enabled so many knowledge workers to be highly productive at home during the pandemic suffered cyberattacks, like Zoom in April of last year, which exposed hundreds of thousands of customers’ private information.

What these attacks demonstrate is that no one is safe — not governments, not utilities, and not even tech companies. What can be done? It’s plausible that widespread remote work may have weakened cybersecurity defenses, but cybercrime didn’t start last year and is unlikely to stop anytime soon. Moreover, as more and more organizations embrace digital transformation, everyday operations need ever increasing protection, and everyone, regardless of department or job function or level of responsibility, needs to understand the vital importance of cybersecurity in their organization’s success.

It’s everyone’s business, not just IT’s

About a year ago, as many of us were coming to terms with working remotely for the  foreseeable future, my MIT Sloan colleague Dr. Keri Pearlson led a highly informative webinar where she shared simple but effective cybersecurity strategies that employ common sense and awareness as much as the latest advances in cybersecurity technology. Pearlson is the Executive Director of the research consortium Cybersecurity at MIT Sloan (CAMS), an interdisciplinary group of faculty and researchers at MIT Sloan who focus on cyberspace, cybercrime, and cybersecurity applied to critical infrastructure.

There are two types of organizations, she said: those that know they’ve been attacked and those who do not yet know they’ve been attacked. To me, that sounded like a grim update on the idea that, for any sizable organization, a cyberattack is not a matter of “if” but of “when.” In other words, mitigating cybercrime is an ongoing part of business operations and cyber vigilance should be on every employee’s mind, not just IT’s. This is a radically different approach to cybersecurity and requires thinking about it not only as a technical issue but also as a human and organizational one. From sending fraudulent emails and corrupt files to social engineering (impersonating actual people in your organization, for example), cybercriminals escalate their methods as quickly as IT departments devise their defenses. It’s an arms race!

A culture of cybersecurity is your secret weapon

In management circles, there is a lot of talk about organizational culture: the attributes it should have, the role it plays, what it means on a daily basis. One could argue that a strong and cohesive organizational culture can make a tangible difference in keeping everyone cybersafe. “We know it’s the culture, values, attitudes, beliefs of the organization that drive the behaviors,” Pearlson says. “If you think cybersecurity is important, then you’re more likely to take cyber secure options. If your manager takes time to share the latest breaches they saw or heard about or fake websites, it’s going to raise not only your awareness but the priority and importance of that kind of topic in your mind.”

Wondering how to enshrine the importance of cybersecurity in your organizational culture? To business leaders, Pearlson suggests starting by modeling good behavior: “You want to model the culture, values, attitudes, beliefs you want from those around you. You want to make heroes of the people that do things to protect you. You want them to make it a priority. If it’s one of yours, it will be theirs also.”

She encourages everyone to share knowledge and any issues or concerns that colleagues may have about cybersecurity. “You may want to talk about what you see in the news. You may want to share that you participated in a cybersecurity education webinar. Getting things out in the light is really important. The bad guys thrive on the fear, uncertainty, and doubt, and the chaos that’s going on right now. Of course, this pandemic has all of that. So bring issues out in the open and discuss them. That will not only help you figure out how to manage them yourselves, but it will show how important it is to the people around you.”

Come back stronger

Many leaders might be thinking that their organizations will go back to “before” as the pandemic recedes, but I hope that most understand that things have changed — and not only for the office workers. Advanced manufacturing, for example, has been growing steadily automated over the years. The Internet of Things, both industrial and household, presents another area vulnerable to cyber meddling. The processes involved in running automated systems are highly complex, which makes keeping the operations secure even more challenging. Groups like the Internet of Things Talent Consortium (IoTTC), a non-profit community of human talent experts and practitioners, (MIT Sloan Executive Education is a founding member) are working to support organizations in their training and education of a workforce skilled in and confident with IoT.

In some ways, a transitional time like now gives business leaders a great opportunity to set a new course for their operations, and those who prioritize cybersecurity are more likely to see their organizations thrive regardless of whether their workforce is fully remote or co-located or somewhere in between. It takes a sustained effort to get everyone onboard, which starts with demystifying cybercrime as something completely out of the control of a non-technical person.

As Pearlson pointed out, humans can be the weakest link in an organization’s cyberdefense, but they can also be its strongest defenders, if given the tools of information, education, and communication. The more confident we are in understanding the adversary, the more control we have over our safety.

Peter Hirst is Senior Associate Dean of Executive Education at MIT. He has over 20 years of experience in international strategy, technology consulting, and organizational leadership and development.

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers