This is a good article on the need to develop the right workplace culture. It highlights an example of SingHealth cyberattack and the issues raised during the public hearing…
It is the human element that makes everything work (or not). It’s a crucial point with the advent of tech.
WE have all been there. That sensation when your body is present in the office, but your heart and mind have left the building a long time ago.
Whatever it is, you have stopped feeling curious. You have stopped exploring and caring. You keep your head down as even the most exciting projects that once drove you now fill you with dread.
When your default mode at work is to just get through each day, it is safe to say that you are just not that into your job anymore. I think I can speak on behalf of all salaried workers out there that it happens. But it’s not okay to stay that way.
The recent SingHealth cyberattack debacle – known as the most serious data breach of Singapore’s public data to date – is a prime example of what could go terribly wrong when workers check out.
Some 1.5 million patients’ non-medical personal data was stolen. Among those affected were Prime Minister Lee Hsien Loong and various ministers.
In a public hearing on the incident, a senior manager from SingHealth’s technology vendor Integrated Health Information Systems (IHiS) avoided reporting the incident to senior management as he did not want to deal with the pressure and the additional work involved. He also did not think it was his job to raise the alarm.
“I thought to myself: ‘If I report the matter, what do I get? If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them’,” he had said in a statement, to much vilification by the public.
“Once we escalate to management, there will be no day no night,” said the same manager in an internal chat message.
It is easy to blame a disengaged employee when things head south. But in my opinion, it is not just a matter of a judgment lapse of an individual or a lack of clarity in protocols. It seems that a lack of communication, leadership that might be not in touch with what is happening on the ground, and an overall flawed workplace culture have certainly contributed to the entire fiasco.
There are several lessons that one could take away from the SingHealth saga. The middle manager feared more “updates” and pressure when serious issues are encountered at work, resulting in his withholding vital information instead of communicating to upper management directly when suspicious activity was first flagged.
Lack of Communication
This already shows a lack of communication between those on top and those at the frontline. There was also possibly a worry on his part that the issue was not as serious as it seemed and hence the reluctance to involve top executives unnecessarily.
However, SingHealth’s group chief information officer Benedict Tan, who is employed by IHiS, claimed that the manager’s fears were unwarranted.
According to him, management would provide “additional resources” to assist in resolving the situation: “I do not think that people will have to go about it alone,” he had said in his testimony before the Committee of Inquiry (COI).
Another key person dealing with technology risk in IHiS also told the COI that there would be “no consequence” if a false alarm was raised to upper management. Apparently, this message did not seem to have filtered down to the team. In many workplaces, what was assumed to be understood by leaders is more often than not misinterpreted by staff, especially when there is a lack of trust between the parties. A workplace culture where employees worry that management will not back them up in trying times or think that higher-ups are just concerned with covering their behinds is, unfortunately, getting more common these days.
Workplace culture is not about what leaders say, but what they do.
Issues that were not addressed included the “updates” to upper management, which were assumed to be onerous since the manager had feared them. While reports to senior executives are required, were there steps taken to ensure that staff could do so in a timely manner without overloading themselves with paperwork? Or was this a barrier that was never raised? Again, this boiled down to a lack of communication and mutual understanding.
While strict protocols to follow would help, no amount of “do’s and don’ts” will make up for a trust gap.
Another issue that was flagged in reports was that the manager in question was actually on holiday in June when suspicious network activity was first detected. In his absence, it appeared that no one actually covered his duties and the subordinates did not report the issue to any other superior.
I found this especially troubling as it demonstrated the problems with such a hierarchical structure that resulted in a bottleneck when one level of the organisation failed to move. Such a critical matter seemed to hang in the balance of just one man.
In many organisations, we have gotten so accustomed to endless red tape and levels of bureaucratic clearance that time-sensitive issues can get stuck for the longest time. It’s no wonder that many workers try to avoid having to make requests or escalate issues altogether.
Another inference from the above was the manager was likely to be bogged down with work. It was also mentioned that the mother of the manager in question was hospitalised right before the data breach was announced as well, which could have put him under pressure.
While that is no excuse, leaders need to be on the lookout for employees under strain or disengaged from work. Many managers don’t make such an effort to watch for warning signs. Instead, they sit in ivory towers and are the quickest at distancing themselves from screw-ups when they eventually do happen instead of reflecting on how they could have played a role in avoiding them.
There are many sides to the story. It could simply be a case of an employee with a bad attitude, or an overwhelmed worker who felt trapped in a desperate situation. To be clear, I am neither defending this manager, nor am I accusing the management for being responsible for this entire episode. All I hope to do is show that workplace culture and engagement may seem like fluffy intangibles, but they matter a great deal. Employers that neglect them do so at their own peril.
Of course, in hindsight, vision is always 20/20. But in the light of the recent conclusion of the Singapore Fintech Festival and the city-state’s ambitions to be a Smart Nation, it becomes ever more salient that, no matter how high-tech we get, we cannot neglect the human element that makes everything work.