What happens when you do, and you don’t have psychological safety in the workplace

Psychological safety plays a huge role in any workplace. With it, organisations can benefit from higher employee engagement. Without it, disengagement follows, and the fallout from this can cost businesses thousands, if not millions, over time through increased risk.

In this post, we look at two case studies considering the potential effects of psychological safety in the workplace.

What is workplace psychological safety? 

While Peter Drucker claimed that, “Culture eats strategy for breakfast,” in the workplace, it’s far more complex than that. Workplace psychological safety plays a significant role in enabling a healthy culture. Without it, culture suffers to the detriment of employees and the organisation. 

So, what is psychological safety in the workplace? Timothy R. Clark describes it as having four stages:

“Psychological Safety is a condition in which you feel (1) included, (2) safe to learn, (3) safe to contribute, and (4) safe to challenge the status quo—all without fear of being embarrassed, marginalized, or punished in some way.”

Source: The 4 Stages of Psychological Safety by Timothy R. Clark, p. 2.

In the cases of VTech and Cloudflare, which we’ll look at later in this post, you’ll see that the absence or presence of psychological safety can have an enormous impact on risk. 

But what do each of the above stages mean for employees? 

Inclusion safety 

Leaders help individuals and teams feel included but encourage them to do the same with each other and the wider business. 

Learner safety 

Leaders create an environment that encourages learning, acceptance of failure, and the exchange of knowledge, giving people the time and space to learn. 

Contributor safety 

Leaders enable people to bring their ideas to the table and, if they are showing competence and ability to deliver, give them the means and space to work without fear of micromanagement. 

Challenger safety 

Leaders make it acceptable for people to say what they see, but they also need to “protect the team’s right to speak up” when someone tries to stop them. 

Source: The 4 Stages of Psychological Safety by Timothy R. Clark, pp. 39, 62, 92, 121. 

So, how can psychological safety affect outcomes for organisations? 

Case study: VTech 

Database hack exposed the personal information of 200,000 children 

In 2015, a security researcher found a hacking community interested in VTech’s Innotab tablet for kids. VTech is known for making electronic toys for children, with products across tablets and other interactive devices. 

Taking a look 

Curious, the researcher decided to poke at the various online features tied to the device. He uncovered more than he’d bargained for when he breached VTech’s web and database servers using a well-known vulnerability. 

He easily gained “root access”, which meant he had “access with full authorization or control”. With this level of access, he could obtain the personal information of five million adults and 200,000 children. 

The access made it trivial to combine information about adults with their children, revealing where these kids lived. Information accessed also included photos and videos of children. 

What happened next? 

Like many hackers, the security researcher didn’t believe VTech would take his breach and evidence seriously without public scrutiny. 

The security researcher went public with help from tech journalist Lorenzo Franceschi-Bicchierai who had the claims verified by Troy Hunt (creator of Have I Been Pwned). Hunt and Franceschi-Bicchierai also confirmed that VTech had not secured the data enough, as the toy maker had used easily broken encryption techniques. 

After the breach was revealed, VTech temporarily suspended trading on the Hong Kong stock exchange. 

VTech was fined $650,000 in 2018 after a joint investigation by the US Federal Trade Commission and the Privacy Commissioner for Canada because it broke child data protection laws. 

Would psychological safety have helped? 

Little is known about the working culture inside of VTech aside from things like their Glassdoor reviews. In the years since the breach, nothing has become known about how such poor security practices came to be used in the first place. 

And yet, in a workplace where easily prevented security issues were allowed, software developers (in-house or outsourced) likely did not feel the degree of contributor safety necessary to go out of their way to promote best practices. Or the challenger safety needed to speak up about the flaws being embedded. Or worse, they had not been encouraged to have the learner safety necessary to keep up to date with security issues and preventative measures. 

All this added to the risk that someone would one day breach their systems. 

Case study: Cloudflare 

Attempted security breach thwarted 

In the summer of 2022, Cloudflare, one of the world’s largest content delivery networks and DDoS mitigation companies, was hit by a phishing attack. Cloudflare was one of many organisations caught in the sights of the attacker.  

In the case of Cloudflare, an attacker sent over 100 SMS messages to employees and their families, posing as a legitimate message saying that their work schedules had been updated. 

A convincing fake 

The SMS messages not only said that people’s schedules had been updated but encouraged them to click through a link to view the changes. 

It was a convincing-looking link involving a domain name that featured Cloudflare and the name of a platform they used for many services, Okta. 

Three Cloudflare employees did fall for the phishing attack, supplying the credentials they used for Okta. 

What happened next? 

Cloudflare’s security protocols (employees must use physical security keys), own software and threat intelligence team were able to thwart the attack. 

This was all supported by a pre-existing security conscience and blame-free culture at the business. Those who had been sent messages felt encouraged to report the instance. 

The affected Cloudflare employees who had fallen for the attack had their credentials reset and were not punished for their actions. All the attacker got was a set of out-of-date credentials that couldn’t be used to access Cloudflare’s systems, as they didn’t have the matching physical security keys. 

Did psychological safety help? 

While the processes and technical practices that Cloudflare uses helped stop the attack in its tracks, the company also credits its lack of success due to Cloudflare’s culture. As Cloudflare wrote: 

“[Having] a paranoid but blame-free culture is critical for security. The three employees who fell for the phishing scam were not reprimanded. We’re all human and we make mistakes. It’s critically important that when we do, we report them and don’t cover them up.”

Having this outlook suggests that they have all four psychological safety stages present at the company. And by having it, the risk from a cybersecurity incident was more easily handled.