Don’t command – teach. It’s the golden rule if you want staff to follow the security guidelines you’ve developed to protect your organisation from cyber-attacks.
It’s common for IT usage policies to be viewed by employees as irritants or road blocks to daily activities, rather than vital means to mitigate the risk of economic and reputational disaster.
With the rise of Virtual Private Networks and privacy focused web browsers, it’s become easier for people who fancy flouting the rules to bypass organisational controls – and to open their employers up to additional risk in the process.
There’s a surfeit of the latter in today’s digital landscape.
The Australian Cyber Security Centre’s 2017 Threat Report notes the presence of ‘thousands of adversaries around the world willing to steal information, illegally make profits and undermine their targets’.
Meanwhile, instances of cyber-subversive staff circumventing their employers’ security perimeters and creating new points of vulnerability appear to be soaring.
Global research from Dtex earlier this year found that an astonishing 60 per cent of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in more than 90 per cent of assessments, personal email usage was taking place on company machines. This simple occurrence – the hasty checking of Facebook or Gmail at lunchtime, say – increases the chances of a phishing attack affecting corporate resources exponentially.
The survey illustrates the point that a corporate security policy isn’t worth the paper it’s printed on if nobody follows it. That’s the reason it’s more effective to teach employees why they should commit to protection policies and measures, rather than mandating them and hoping, optimistically, that employees will do as they’re ordered.
Changing the way security rules are implemented can reduce risk and make your organisation safer.
Here are three ways to do so.
Lighten up – why relaxing rules can tighten security
In theory, maximum security should deliver maximum benefits. It doesn’t always work that way in real life. Making staff feel they’re in perpetual lockdown mode by requiring them to use complex 24-character passwords, ignore all email attachments and stay away sites which haven’t had the nod from security can be counter-productive. Why? Because if the protection measures seem overbearing and excessive, employers are more likely to ignore them or look for ways to ‘break bounds’.
Striking a sensible balance, on the other hand, can engender greater cooperation. If fewer sites are blocked, employers are less likely to be tempted to use a VPN or proxy to circumvent the rules. Similarly, the use of less complex – but still secure – passwords can reduce incidences of reuse and dissuade employees from simply swapping a single digit when password reset time comes around.
‘Lightening up’ can be made easier for security staff if the goal is viewed not as ‘absolute security’ but optimum security for the organisation and user group they’re responsible for safeguarding. If their employer is a financial institution or government agency charged with sensitive customer information, Supermax security levels may be appropriate; if it’s a small retail chain, less stringent measures are likely to suffice.
Make training meaningful
An employee education program is an essential element of any well-rounded cyber security strategy but unless you’re an aficionado, security can be a less than fascinating topic.
It’s little surprise users switch off if they’re treated to a lecture on the merits of two-factor authentication or a lengthy discourse on the company’s latest investment in anti-malware. Making training fun and interesting is the best way to ensure the messages sink in.
Gamification is a good way to do this. Turning training into a competition with prizes for the sharpest-eyed can have employees sitting up and paying attention, not sneaking in a game of Candy Crush while they endure death by PowerPoint.
Anti-phishing training programs which allow organisations to test their staff by sending out their own phishing emails, are another means by which security messages can be reinforced in situ most effectively. Once the results are collated, all staff receive emails with details about the ‘attack’ and features of the phishing email which should have raised a red flag.
Explain your reasons
People don’t know what they don’t know. Plenty of employees aren’t aware of the implications of a significant privacy breach or successful hacking attack and fail to appreciate how something as simple as a malicious link in a phishing email can kick one off.
Explaining the purpose of security policies, as well as prescribing the rules employees are expected to follow can result in greater cooperation and less resentment when it’s made known Gmail is off limits on the office netork.