Tag Archives: awareness

Awareness: The Best Insurance Policy

Awareness is the best insurance policy. It saves costs by saving lives. It is as important to the fate of the insurance industry as it is to fate of the entire nation. The awareness I refer to comes from recognizing the risks we face and the ways we can solve them, starting with the one thing that is both portable and invaluable: education.

The more educated a person is, in terms of his or her ability to perform a life-saving procedure such as CPR, the safer everyone will be. Put another way, the education of one translates into economic rewards for many—from fewer hospitalizations and lower medical fees to more affordable health insurance and better options in general. Or: Sometimes, the most practical skills are the most profitable.

CPR is such a skill, which not only save lives but strengthens communities. For those communities most in need of help, where first responders are too far away to be the first ones on the scene, the person who knows CPR is the man or woman who can save a life.

Compare that scenario with the alternative, where an ambulance belatedly arrives and the patient hovers between life and death. Picture that patient in a hospital, unable to breathe without a ventilator and unresponsive to the simplest gestures. Whether that patient is rich or poor is no matter, not when the richness of life itself vanishes and medical bills are a matter for insurers to pay or to decline to cover altogether.

If insurers want to avoid that scenario, they should invest in what works. They should support organizations whose mission is to save lives by teaching life-saving techniques.

See also: A Road Map for Health Insurance  

According to Mackenzie Thompson of National Health Care Provider Solutions (NHCPS): “Interest in learning how to perform CPR is a global initiative. From Africa to the Americas, every village or township needs to be empowered with life-saving knowledge. In fact, more people from the U.S. access our online certification courses on CPR than any other nation. If saving lives saves insurers money, all the better.”

I agree with that statement, as it is neither too complex to achieve nor too controversial to accomplish. In other words, teaching CPR does not involve creating or maintaining huge bureaucracies. It does not involve legislation that divides the public or strains people’s finances. It does not take too much time to practice or too many practitioners to attract supporters.

Do not underestimate, also, the power of goodwill. Which is to say the insurance industry has everything to gain—and nothing to lose—by popularizing what is good for its beneficiaries and a benefit to itself: life.

The healthier people are, the less costly it is (or should be) to insure them. The happier they will then be, too, because they are alive and well.

If insurers want to see the ROI on CPR, they should look to the individuals who owe their lives to this procedure.

They should look to promote CPR in every county, city and state.

They should look at themselves as champions of change.

Security Training Gets Much-Needed Reboot

Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.

Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Wash.-based security awareness training company with such clients as Microsoft, Yahoo and Adobe.

Old training methods “usually consisted of slide presentations — or their online equivalent — that were super dull and could last an hour or two,” he says. “Employees were expected to sit through this, either at their desks or in a group and come away with knowledge gained. And that was it. Awareness training was once and done, and it just didn’t work.”

See also: How Good Is Your Cybersecurity?  

Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Fla., says “old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.”

Those days are over, according to officials of the two companies.

MediaPro — which was founded in 1992 and has focused on security awareness training programs as a product since 2003 — says it’s an e-learning company that bases its training on proven adult learning principles, providing educational content in a way that learners remember.

“This concept extends beyond the training courses themselves,” Conrad says, “to our focus on consistent reinforcement of key learning principles through extracurricular content such as games, videos and posters, as well as phishing simulation exercises.”

Phishing exercises help change behavior

KnowBe4, Sjouwerman says, sends frequent simulated phishing attacks to train employees “to stay on their toes.”

Both companies believe that employees’ most common security mistake is falling for an email phishing scam.

“Bad guys have come up with all sorts of creative ways to convince employees to click on a link or send sensitive information via a spoofed (sender) address,” he says.

Clicking on a link in a suspicious email and opening an infected attachment can be avoided, Sjouwerman says, “by recognizing red flags.” Red flags include receiving an email from a suspicious domain or address you don’t ordinarily communicate with, or one sent at an unusual time, such as 3 a.m.

No company is immune to such scams, Conrad says, “but simulated phishing campaigns aimed at an organization’s employees teamed with comprehensive cybersecurity education can go a long way toward changing risky employee behavior.”

Technical safeguards against phishing scams exist, “but no organization should rely on those alone,” he says. “Social engineering — the basis of phishing scams — is such an effective way into the sensitive data of an organization because it completely bypasses these technical safeguards and goes after what is most companies’ weakest link: the human.”

Workers’ weak spot

Why do employees engage in risky behaviors when cybersecurity threats are so abundant?

“It’s likely a combination of being busy and being exposed to so many technological sources of distraction on a daily basis,” Conrad says.

Sjouwerman mentions another reason: “No one ever took the time to enlighten them about the clear and present danger that risky behavior can really cause, especially in an office environment.”

A 2016 study by PhishMe, a Virginia-based phishing threat management company, found that 91% of cyber attacks — and the resulting data breaches — begin with a spear-phishing email.

Another study done last year by LastPass, a Virginia-based password management service, found that 91% of respondents know it’s risky to reuse passwords for multiple online sites, but 61% do it anyway. The study also found that the No. 1 reason respondents changed their password was because they forgot it, and only 29% changed it for security reasons.

Employees’ risky behaviors have triggered an increasing number of companies to provide better security training.

“I think this is a really exciting time in the market. Huge numbers of companies are committing to doing real education, and we’re seeing exciting innovations in the variety of content that is available,” Conrad says. “I like to think that the age of boring people about security is over and we’re entering an era where people are going to be motivated and engaged by education around these issues.”

See also: Cyber, Tech Security Start to Merge  

Repetition is key

Employee training, Conrad says, needs to be more frequent than an annual affair.

He says, “Learners need to hear something more than once for it to stick — just ask any ad executive or marketing jingle writer,” he says. “Think about what makes up an advertising campaign: a series of messages that share a single idea or theme, transmitted via different media channels on a regular basis, for an extended period of time — with the singular goal of influencing consumer behavior.

“A great security awareness initiative should look like a great advertising campaign. Repeated, consistent messages delivered throughout the month, quarter or year — whatever cadence is appropriate for a given organization.”

This post originally appeared on ThirdCertainty. It was written by Gary Stoller.

3 Main Mistakes in Change Management

In my last blog, my engineer self admitted that the root causes for why core systems replacement projects don’t hit the mark in the business case are more likely related to people, not the technology. I stated that the business only changes when individual contributors each do their jobs differently.

Now let’s take a more detailed look.

There are many models out there that provide a framework for understanding change. One that we use frequently at Wipfli is the Prosci model, which is focused on understanding change at the individual level. Boiling it down to its simplest form, this model says the change must progress for each individual from awareness to desire to knowledge to ability to reinforcement.

Understanding that, Mistake #1 to avoid is measuring the need for change management based on executives’ paths, not their people’s. The executives responsible for the program and ultimately for the change management strategy, approach and investment are by definition the leaders furthest down their own change paths. That is, they are, in all probability, way beyond the awareness and desire stages. (Hint, hint: That’s why this core systems project is underway). And, not uncommonly, because of where they are, they may not understand the need to make a significant investment in change management.

Once you embrace the need for change management, there are an array of tools and techniques at your disposal. These include communications, sponsorship, coaching, training and resistance management. Mistake #2 to avoid is loading everything into communications as a one-and-done approach. In fact, I would guess that when most of us hear the term change management, we immediately think of communication. That’s good because change starts with awareness. But did you know that it takes something like five to seven communications for a message to be truly heard and understood by all? Remember that perfect project kickoff email you sent last week that summarized everything perfectly? Yeah – maybe 20% of your audience remembers it today. So communication must be multiple messages using multiple channels coming from multiple stakeholders.

Multiple studies over the years have reaffirmed the significant correlation between a project’s success and change management’s impact and, more specifically, the importance of the project sponsor’s role in both. Succinctly, the earlier the project sponsor is engaged in the project and the earlier the project sponsor embraces change management, the better the chance for success.

Mistake #3 concerns the project sponsor and her change management role. Just because you have a smart and engaged leader as your sponsor, don’t assume she knows what’s supposed to be done every week in a transformational core systems project if she hasn’t played that role before. For example, does the project sponsor know to build a coalition among the key managers and supervisors whom the affected employees will most want to hear from? At the end of the day, the employee will turn to his immediate boss and not the project sponsor to really get the WIIFM (what’s-in-it-for-me).

You get the idea. As much as agile project management and delivery approaches and methodologies have been embraced, used and hardened over the past 10 years, we need to do the same for change management.