Roz and Milly Harding on turning your biggest weakness into your greatest asset

Roz, our CEO, and Milly, Founder of Milly Harding HR Consultancy, caught up on Zoom to discuss the role of the employee in our fight against cyber crime.

Roz: We’re talking about the difficulties of being able to help your staff stay cyber secure when they’re working at home. So obviously there’s the technology, and there’s people and the processes, and as much as we put things in place to try and help our staff to understand the rules for what they actually do when they’re at home, it’s sometimes quite different.

So as an HR professional from the other side of it, how would you go about trying to get them to follow the rules, as it were? What would you put in place to try and encourage people to do that?

Milly: Good question. So, I think you can have all the policies and procedures under the sun. You can have a handbook full of information. You can do all the monitoring you like and have the software that will, of course, help in a way, but unless you can get your employees to really engage with the whole concept of security, it’s just not going to go anywhere.

So, it’s making it fun – making it bite-size – so they can understand what we’re trying to achieve, rather than death by information. I think fine, have that information somewhere there to read up on, but it’s refresher training, it’s finding quick ways to get it into their mind – whether that’s a quiz, or just in your weekly update, a small reminder of something new.

Maybe make it relevant to something in the actual workplace, or something in the news that people have heard about so they can actually see why it has an impact. I think that’s probably really good way to start. I don’t know, any ways of doing bite-size training for people and making it a bit easier.

Roz: Yes certainly, that’s the best approach isn’t it? Just when people have got too much to do, it just becomes another thing on top of everything else they’re just trying to struggle with when they’re working remotely.

What about culture? Do you think you can try and encourage the culture of people thinking about operating in a secure way?

Milly: I think it’s an enabler, the culture. I think it’s got to be led from the top. I think we all have errors, we all make mistakes, and rather than them being penalised or people being really scared about talking about them, it’s making sure we learn from them, that they’re accepted and that you can stand up and go I mucked up, I did something wrong and there’s going to be somebody there who’s not going to blame you for that, they’re going to say okay. That’s alright. Show me what happened and we’ll learn from it. And that culture really has to come from the top.

So it’s best when – you know, directors make mistakes, and if they will stand there in front of their team and say ‘I mucked up’, it gives everybody else the confidence to know that they can stand up too and go ‘yeah, I did something a bit silly and I need somebody to help’.

Because we don’t employ everybody being a security expert. You employ marketing people, salespeople, as well as your finance people. They can’t all know everything and so you really need to make it so that people feel that they can admit to when they’ve done something wrong.

But I think you can even take it a step further. You go all the way to your recruitment phases and start from that point in terms of people’s morals, their integrity. And you find people that match what your business values are. Whenever you align people’s values – whether it’s employees’ or the employers’ – when you bring them together and you’re all swimming in the right direction, it’s going to make a much more harmonious workplace for everybody. As opposed to people coming at it from different ways, getting conflict about how we should approach things.

And I think if you treat everybody with that amount of respect, it goes all the way to the end of the journey, when you’ve got people resigning – whether that’s just because they’ve got a different opportunity or they’re disgruntled over something – if they’ve all gone through the same cultural belief and are all aligned in their ways of thinking, you’re far less likely to get those employees who perhaps are your insider threat when it comes to your data and private information.

Roz: So potentially now we’re going to have people that are going to, unfortunately, be unable to continue in their current positions. They might be feeling quite unhappy about it, and I think this is going to be a really tricky time for companies. They’re making sure they’re securing data that’s potentially being stored on people’s own devices as a sort of a back-up plan for if they have to find another role somewhere else, and that data could have value to a future employer.

Obviously there are technical things we can put in place to try and prevent that, but it’s quite tricky for people who are working remotely. So from an HR point of view, what do we put in place early to try and prepare for that sort of thing potentially happening?

Milly: Yes I think that’s a really good point, and probably a bit of a blind spot now for a lot, to be honest. They’ve always talked about what do you do when somebody leaves the business and you can take their laptop and you can take their mobile phone from them there and then when they’re in the office and you’ve lost this ability now. We’re in a situation where people are at home and sadly, like you say, at the end of this sort of furlough period. You could be a bit more disgruntled and this is what I getting it right from the start. It really helps because you’ll get those people who just know that’s morally wrong and they’re not going to do that and you’ve you’ve got through this process with them with, you know, clear communication.

They understand what’s happening. It’s nothing personal you know, it’s business and you’ve managed them through that and their expectations the whole way through. They’re far less likely to get disgruntled at the end and maybe take a course of action that nobody wants.

But at the end of the day it is tricky, if people are going to take information it’s very hard to know if they will or how to stop them when they’re under the under the eye of everyone on the site. And I think that’s where it comes down to really truly building up those relationships with your staff, so they’re more trustworthy, and perhaps making it clearer in your contracts or your policies, to say that this is what’s acceptable. This is what’s not acceptable. And updating it for a far more working from home environment so people understand what is considered to be company data, and things you’re not meant to take with you.

You know, apparently it’s up to 50% of employees that nick data, and 25% of those go on to say they’d sell it to a third party if they were asked to. And I think you need to go a long way to communicate and explain to people what is expected for what’s known as sensitivity company data, and keeping it at the forefront of their minds even with your line managers. You know, train them to be a bit more vigilant. What to look out for. It’s also spotting the signs earlier of an unhappy employee, and I think a lot of training can go in there with line managers to sort of help them identify and give them someone to talk to if they if they do identify if they think they can see somebody’s not quite happy. Make sure that the channels are there for them to stand up and say something to somebody confidentially.

Roz: Do you think exit interviews can help?

Milly: I think they can, I think there is a place for an exit interview. I mean I much prefer stay surveys. I want to know why people are looking to stay. What is it about here that you love? If you were to leave what is it that would be the push factors? What would be the reasons that are pulling you away, maybe. It’s so that you understand. And it’s making sure that you keep that information and use it.

A lot of people will do an exit survey and it’s a tick in a box, and away that information goes, but what you should be doing is using that to reflect and using it to measure… Look to see whether or not there’s any patterns. Anything reoccurring. Are people there because of the benefits, or a particular competitor doing something? And then use that as an opportunity to change what you do to stop so many people looking to leave, and just making sure that you are offering the right amount to people so you know that you attract the right people. Because when you become an employer of choice, you’re far likely more likely to get this sort of candidates and employees that you want and respect and will, as you say, continue your message, your way of belief and your way of conducting your business.

Roz: There’s another issue around people that have potentially come back into the office, have just started to settle back into that environment, and now they’re being advised to work from home if they can. Then they’ve got this new “oh now I’ve got to go and reset up everything again”, and you know that this has much more potential for things to maybe slip now, because they’ve got a part working in the office, a part working at home and now they’re wondering if they should be working at home all the time.

And I think there’s a lot of confusion for employees, so it’s a time where potentially we are going to have more data disappearing and being lost in funny places, because we’re just going backwards again really.

Milly: Yeah. I think you’re right and everybody, as I’ve said before, you employ people because they’re marketing people or finance people – not because they’re IT people. And people have bad habits of saving things on their desktops and so on and it’s really tricky to keep hold of things. And I think that’s where a bigger piece of communication can come from the company. It could be the right time to be investing in a better solution such as a OneDrive or SharePoint, so that regardless of where you are, you continue with the same piece of work wherever you left off.

It’s saved in a safe, you know, a virtual environment where it doesn’t matter that you’re trying to store it locally, and it’s teaching people why

It tends to be when somebody’s laptop dies and gets that nice blue screen or black screen of death that they go “it’s on my desktop” and they learn the hard way.

So it’s making sure that before anything like that happens, we explain to them why we have all these different ways and methods to store all our data securely, or so that we don’t end up like the government and putting it on an Excel spreadsheet.

Roz: Yes, absolutely and being able to track where everything is and being able to back it up, which I think is the key thing really, isn’t it? So if you don’t know where it is then you can’t protect it and you can’t back it up or look after it, because you just don’t really know that it’s there.

So I think people understanding that it’s data that belongs to the company, and it’s the company’s responsibility to protect it and they’re part of that system is really helping the company to do that being an enabler for it.

Milly: And I think it’s really easy to forget if you’re a tech savvy a person that not everyone understands it. It’s easy to think of course you would know to put it there.

And so sometimes you’ve just got to understand who your target audience are, what their level of understanding is. And really maybe take it back to a level that they understand and go from there.

Just get their base point, work out what it is. Just work up from there to the point where we’ll be happy as a company.

Roz: Yeah people aren’t starting at beginning now are they? They’re starting with employees and they haven’t thought about this until suddenly they’re trusting them all to work from home, where before that they weren’t allowing them to work from home – they weren’t allowed out of sight.

Milly: It’s all knee-jerk panic. What do we do now sort of thing, which shows the difference in sort of maturity of different businesses. Some that are already set up to breeze this, and then there’s the others who are all of a sudden running around like headless chickens going ‘what do we do now?’. And it’s those ones that are going to need the most help.

It’s their employees who are going to need support and you can’t then just blame the employees if they get it wrong, because they’ve never been given any guidance.

They don’t know what they’re meant to be doing and what not to be doing. So it’s not their fault. If something particularly happens. It’s just as much the fault of the employer as well for not you know, thinking this through in advance.

Roz: Yeah, definitely and I think that we’ve moved from some instances where the employer hasn’t really trusted their employees before. And suddenly now they are, they’re going to have to do it and there’s a whole whole new environment that they’re trying to manage, and certainly I’ve seen some organisations that have never allowed their staff to work from home, have taken a register every morning expecting them at their desk and you know, expect them to finish and take their one hour lunch break. And suddenly now they say no, you’re fine, you can work at home. And actually we won’t rent out the office because we don’t need it anymore.

And it’s so different for an employee that’s been used to being managed very precisely, but now they’ve got to manage their own day and you have to manage everything

Milly: Absolutely, and I’ve had so many employers who have been anti working from home. They absolutely hated it. And this has forced it on them and they’ve done a complete 360. You know, I used to say to them why do you employ these people if you don’t trust them?

You know, they are here for a particular reason. If you can’t trust them to do their job effectively, you shouldn’t have them here. You know, and a lot of people would single out, or everyone would be targeted, because of a few employees that they maybe had in the back of their mind that would maybe take advantage of it. And so everybody got penalised.

This has made everybody have to do it, and now all of those employees who have been as you say, sort of schooled in terms of check in check out here’s the register, and this is when you should be at your desk or not, all of a sudden are feeling quite confused. And a lot of them are working much harder than they have ever before because it’s that presenteeism.

If you miss a phone call, if you know, if you’re not there, people are assuming, people are going the where the hell are they?

They must be watching telly they must have gone out, which is just not the case.

You know, if you were in a meeting, or you were in your room and you were on the phone and another employee walked past you would just see they’re on the phone and you’d come back later.

And so I’ve had to do quite a lot with some of the younger members of staff, to train them to say it’s okay to miss a phone call. It’s okay for you to still go and have a break, and you do not need to be at beck and call the moment your Teams starts ringing. We understand.

And that’s where making sure you use software or the the program correctly where you have the ability to say I’m on a phone call. I’m busy right now. I’m away.  Using all of those things correctly will help people not need to feel that stress and that burn out without having to be tied and chained to their desk.