The U.S. Department of Defense has found that most successful cyberattacks are made possible by poor human performance. Consider, for instance, the recent breach of the unclassified email system used by employees of the Joint Chiefs of Staff in the Pentagon, which was reportedly achieved through a spear-phishing email. Indeed, most organizations place too little emphasis on changing behavior and too much on technical safeguards.
The U.S. military is strengthening its cybersecurity by applying the methods used by the Navy’s nuclear-propulsion program, whose safety record is second to none. These include a robust program of training, reporting and inspections, as well as six operational excellence principles:
INTEGRITY, a deeply internalized ideal that leads people, without exception, to eliminate deliberate departures from protocol and own up immediately to mistakes.
Depth of knowledge, or a thorough understanding of all aspects of a system, so people will more readily recognize when something is wrong and will handle any anomaly more effectively.
Procedural compliance, which entails requiring workers to know – or know where to find – proper operational procedures and to follow them to the letter. They’re also expected to recognize when a situation has eclipsed existing written procedures and new ones are called for.
Forceful backup, which means, among other things, having two people, not just one, perform any action that poses a high risk to the system and empowering every member of the crew to stop a process when a problem arises.
A questioning attitude, which can be instilled by training people to listen to their internal alarm bells, search for the causes and then take corrective action.
Formality in communication, which means communicating in a prescribed manner to minimize the possibility that instructions are given or received incorrectly at critical moments (e.g., by mandating that those giving instructions state them clearly, and the recipients repeat them back verbatim).
The entire U.S. military is gradually embracing these methods to bolster cybersecurity, and business leaders would do well to follow that example. Technological safeguards alone will not make a company safe.
(James A. (Sandy) Winnefeld Jr. was the ninth vice chairman of the U.S. Joint Chiefs of Staff and an admiral in the U.S. Navy until August 2015, when he retired.)
