Strengthening IT Security’s Weakest Link — People
How does an organization build a culture of security?
Scary stories about artificial intelligence (AI)—such as Elon Musk’s talk of existential threats or the questionable claim that Facebook shut down some bots after they invented their own language — prey on a very simple truth: Computers aren’t people, and people aren’t robots.
We’re glad about this fact, except when it comes to IT security. There it creates problems, because employees aren’t “programmed” to follow a certain set of rules. They often behave in ways that has those responsible for cyber-protection scratching and shaking their heads.
Hackers seek the weakest link in a security chain. This means the most vulnerable entry point is all too often human. The Association of Corporate Counsel found that data breaches are most often the result of an employee error or an inside job.
How can human weakness be minimized in the data center, on the network, and everywhere else employees, contractors, consultants, and others come in contact with data and IT systems?
Here are a few tips, compiled from experts in the field on how to build a culture of security:
- Start at the top. Owners, executives, and managers need to be knee-deep in security, seen doing things in the most secure manner and heard underscoring key security messages. They should receive the same training as any other employee, perhaps even at the same time, so the importance of the sessions is communicated by their presence.
- Define security policies and procedures. Most people cannot follow a general edict to “treat data securely.” Bank customers, for example, rarely reveal their ATM PIN on purpose, but more than a few carry it on a piece of paper in the same wallet as their card. Employees, contractors, and management need precise direction about what behaviors are and are not secure. That’s why it’s essential to have a written list. Don’t expect employees to realize that taking paper records or memory sticks out of the office might be unsafe. (A study proved it’s definitely not secure: When some 200 unbranded USB sticks were dropped in random locations inside a major airport, one individual in five plugged it into his laptop to check it out.) Specify that doing so is not allowed, and explain why.
- Communicate the policies. Here’s a disturbing CompTIA finding—of 1,200 full-time American employees interviewed, only 55% reported receiving cybersecurity training at work. That means 45% haven’t the foggiest idea what their employers want from them to keep information and IT access safe. The good news is that even basic briefings on security measures will have an impact in many enterprises, so you can start small.
- Break it up. We’ve all been to a mandatory corporate snooze-fest at some point, and few of us remember the information conveyed. Simply adding another boring presentation on cybersecurity won’t help. Instead, consider doing security training in smaller groups and covering the topics in shorter “bursts” throughout the year. It’ll grab more attention and reinforce security as a day-to-day concern than another annual PowerPoint to sit through.
- Make it fun. Once employees understand expectations, help them stay motivated to perform as expected and reinforce the messages in fun ways. Gamification isn’t just for geeks. Use contests, group activities, and rewards to raise awareness and compliance with security policies. It’s amazing how far a few Amazon Dollars can stretch in encouraging the marketing or logistics department to play along.
- Become the office of “yes, we can help.” IT security departments have a reputation for being the department of “no.” No matter what other department managers want or need to do, it seems IT security can come up with reasons it’s problematic and shouldn’t be attempted. A more collaborative relationship should be a goal. IT security can still raise questions and highlight possible security challenges, but they should be seen suggesting solutions as well. That way, others across the organization will be less likely to avoid or work around IT security; they’ll come with their goals knowing IT can help them achieve them more securely.
- Open the door to questions. A side benefit of a collaborative attitude is getting more information from employees at all levels. When IT security is seen only as a police force, they are unlikely to get word of a suspicious email, hear mention a computer is acting in a way that could indicate a virus, or be asked questions about what an employee should do in a particular scenario. But when employees are encouraged to discover more from a friendly IT security team, without fear of ridicule or reprisal, many will proactively seek out ways to upgrade their security behaviors.
The cliché about it taking a village applies as much to cyber-security as it ever did to raising children. IT security pros need to take the entire enterprise along on the journey to better, safer IT practices.
If that seems like more trouble than it’s worth, consider this warning from CompTIA’s 2017 IT trends report. “The headline-making breaches of the past three years have not put companies out of business … Unfortunately, the event that creates a tipping point will need to have greater consequences before there is a broad shift in transforming security technology, processes, and education.”
Do you really want to be the one to reach that point of no return?