It’s no secret that employees are often cited as a company’s highest IT security threat, but year over year, they continue to stay at, or near, the top of the list. Unless nearly every company is filled with apathetic employees with no regard for security, which is extremely unlikely, there must be a disconnect between security policies and the people expected to follow them. In other words, there must be a better way to engage employees with security.
Let’s take a quick step backwards and look at the most common behaviours that leave employees vulnerable to attack:
- Disabling security software
- Responding to phishing emails
- Opening unknown email attachments
- Downloading files from untrusted websites
- Leaving mobile devices unlocked or in public places
For IT professionals, security is top of mind nearly every waking hour, but for most other employees, daily work life doesn’t include researching the latest phishing scam or analyzing log-in behaviour to identify possible hacks. Everyone is just trying to do their job, and because IT security isn’t in their job description, you really can’t blame them for thinking that changing their passwords regularly or staying hyper-aware while checking their email is a little frustrating. They might even see these added security measures as taking away from their productivity. After all, their own tasks are their first priorities.
How to change security culture
The best ways to enforce IT security procedures with your employees is by getting each person on your team. Helping employees understand the context for the rules will help, but so will establishing that you understand their needs and then work towards security procedures that make sense for everyone following them. This doesn’t mean relaxing policies; instead, this means communicating with employees about each policy to show that you’re not making their work more difficult for no reason. Talk about real threats and how each procedure helps to protect the company.
A security culture shift starts from the top down. Executives need to be setting an example not just by following procedures, but by talking about the importance of security policies and engaging with training. With a team approach, security policies can stop being something being forced on employees and can become an inherent value within the company culture.
Ways to engage employees in IT security:
- Run ongoing training, not just to refresh existing knowledge, but also to keep employees informed about the latest threats, how they happened, and how they could have been prevented.
- Adjust language to communicate that employee behaviours are one of many ways that a company can be vulnerable, but that they are not the problem: attackers are the problem. Remind them there are other lines of defence protecting them, but that if a threat gets through, they can help stop it. Again, this emphasizes an overall team effort.
- Simulate attacks specific to departments to show how convincing they can be.
- Communicate the importance of reporting suspicious activity or an error instead of hiding it.
- Send out fake attacks and reward those responding correctly. You can also use the data collected from the exercise to strengthen vulnerable areas. These vulnerable areas likely have reasons behind them that stretch beyond apathy, so do a little digging and give employees the benefit of the doubt.
When enforcing security policies, the most tempting approach is to punish those who fall short, but if punishment was enough of a motivator, the mere thought of leaving the company open to a cyber attack would be punishment enough. Clearly, it isn’t. IT security culture within a company needs to change so that policies aren’t just annoying barriers in between an employee and their productivity. Instead, these policies can be tools for employees to use so that they can contribute to a larger company culture of security and teamwork.