As cybersecurity practitioners, we all have a mental list of fundamental technological controls that everyone should be using to secure their environments. But when it comes to the humans in our environment, few of us can point to specific effective methods to improve company culture in a way that keeps them from accidentally — or intentionally — thwarting our efforts.
Understanding the psychology of why people occasionally slip up is the first step to preventing risky errors.
Stress Makes Workers Less Productive
We’ve probably all had the experience of trying to navigate the world when we’ve had too little sleep, or when we have something weighing on our minds. It’s not a fun way to move through the world, and we can consider ourselves lucky if our missteps are harmless ones. More often, it’s those complex tasks that are challenging for us on a good day that we’re most likely to mess up.
Most people are not — and should not need to be — cybersecurity experts. Their first priority will naturally be whatever tasks fall within their specific job description. Good data hygiene practices often fall further down their list of priorities than we might like. Your employees need to have the mental bandwidth to be vigilant and to do their job effectively, and stress decreases that ability.
Are Your Policies Causing Stress?
One source of stress many organizations are imposing on their workers is having adversarial security policies. Treating workers as a threat to be curtailed, imposing controls that make their job harder to do, and threatening punishment for accidental lapses does create a “culture” of security. But it isn’t a positive one.
Security efforts succeed or fail based on the ability to identify problems as quickly as possible. It would be detrimental to shut off one of your best avenues for rapid response by making employees feel afraid to communicate. This effectively makes the job of security practitioners more difficult, increasing their own workload and stress level.
It should be no surprise that many cybersecurity personnel are overworked. This situation seems to be increasingly widespread, given the problems that many companies are having filling existing positions. Burnout and other stress-related mental health conditions are such a prevalent issue in this industry. Major conferences like Black Hat are even adding dedicated mental health tracks, according to Axios, and local events are adding Mental Health Hackers Villages.
Adding the stress of an adversarial environment is a surefire way to increase burnout and attrition. Creating policies that enable productivity and innovation makes everyone’s jobs easier.
What Does Positive Company Culture Look Like?
Negativity and stress decrease performance, while positive environments conversely improve it, according to Harvard Business Review. Since employees are ideally positioned to be the eyes and ears of the organization, they can be the best anomaly detectors and asset locators available if you can leverage this by improving communication.
To create a positive culture of security you need a company full of loyal advocates. Ideally, staff should be both loyal to your company and to your customers. These days, most companies would quickly cease to exist without the goodwill, and often the data, of their customers. Your employees need to have the bandwidth to protect both of these things at their full capacity.
Loyalty and protection go both ways, so business leaders must create a company culture of valuing employees and establishing psychological safety. Creating a cooperative security posture will help decrease incidents.
Build From the Tech Up
There are a few things your company can do today to enable employees to work safely and improve your security posture. Let’s start with the technological solutions, which basically boil down to creating an environment that mitigates the damage from mistakes or poor choices:
- Use robust, overlapping layers. Some common examples of this are multifactor authentication (MFA), sandboxing or virtual machines, blacklisting and whitelisting files or traffic, filtering unwanted or malicious files at the server and desktop levels, and encryption at rest and in transit.
- Enable reasonable use. If malware researchers can safely examine potentially dangerous files, so can human resources and finance departments. You can provide staff with advanced file-handling training, plus air-gapped or virtual machines that are dedicated to the task and can be quickly reimaged after each use.
- Implement seamless controls. When purchasing new products or services, prioritize choices that minimize extra steps when they must be used by your staff.
- Do not allow more access than is needed. Follow the principle of least privilege, which says that no user, machine or system should have more access than is needed do to their job.
Whatever security technologies you implement, make sure that they are working to empower your employees and improve cross-department communications. Some things to get started include:
- Listen to your employees. Are there devices, communication methods or data sources that people are using that you don’t know about? Are there particular vulnerabilities or pain points that they’ve spotted that should be fixed? These are just a couple questions you should be asking, which might uncover holes you’re not yet aware of.
- Find out how they work. Shadow employees to find out how security controls function within their daily work. Are there simple tweaks you can make that make their jobs easier?
- Create an easy way for staff to report suspicious files or accidents. Your employees likely see a whole lot more spam, phishing and malware than you realize. They may quickly delete them, or they may mistakenly click on things they shouldn’t. Neither of these situations is ideal. You can use those messages that pass filters to train your defenses, and you can quickly investigate accidents, but only if you know about them.
- Create an easy way to request access level changes. People change jobs and responsibilities often within the course of their tenure. There should be an easy way to request changes to their access if need be.
Security should not be the “Department of No,” but an enabler of innovation. This may seem contrary to common wisdom, but it is far from an impossible task. Considering the mental health and well-being of our employees can pay great dividends.