Multi-Factor Authorization: Organizational Change Management

Overview
Our client, a global professional services firm, needed to address a pressing problem with phishing scams targeting its employees. One critical component to this process was implementing multi-factor authorization for employee logins to company systems. The project was urgent and high-profile within the organization, due not only to the security concerns but also to the fact that our client had experienced a prior, failed attempt to implement multi-factor authorization.

Our client requested our assistance to ensure both technological success and effective organizational change.

Impact
Although multi-factor authorization (MFA) is becoming increasingly familiar to users, including in personal use such as for bank accounts, its implementation in a corporate setting can become a flashpoint of aggravation. In a bring-your-own-device environment (BYOD) such as our client’s, some employees’ phones and tablets are likely to be too old to support the MFA tools needed for the device to serve as a second point of identity confirmation. For those whose devices are able to accommodate the security tools—typically most newer smart phones—the process still involves a new, second step in authorization that employees may perceive as a hassle that slows them down.

Therefore, effective organizational change depends on effectively “selling” the need for MFA throughout the organization and making its adoption as painless as possible—while holding firm that devices unable to meet standards will not be accommodated.

Process
We worked closely with our client’s in-house organizational change management and IT teams to plan and execute change. We also needed to ensure effective coordination from our client’s external IT infrastructure and support provider. Throughout the entire process, the project benefited from the intense focus given it by top executives in the organization. Projects that disrupt users, such as MFA implementations, can sometimes struggle due to insufficient backing by internal champions throughout the business. Given the prominence of the security issues needing resolution, that was no problem here.  

Communication and Training
Given the urgency of the security need, both communication and training began in parallel to the technical implementation rather than waiting until after the systems were fully in place. We helped our client’s internal team prepare clear user communication and establish a training plan.

Communication channels included email and prominent information-sharing on an intranet site, which provided “quick start cards” and cheat-sheet reference guides. All materials pointed users toward a single point of contact to emphasize that help was available.

Our client’s internal IT and OCM teams handled the actual training and, for executives, conducted in-person office visits to set up MFA on those executive’s devices.

We participated in training our client’s in-house IT service desk and in reviewing the escalation plans by which any issues unresolvable internally would be referred out to the third-party provider.

Conclusion
Security projects can be a headache when they demand changes in user behavior. Sometimes, resistance is so high that projects fail. Giving close attention to OCM needs early in the process helps ensure success. In this high-visibility, high-pressure situation, we were proud to achieve that success by working collaboratively with our client’s internal teams.
Organization

Professional Services Firm

Organization Type

Organization Profile