There’s huge gap in most security programs. No, it’s not the lack of management buy-in, limited budget or underimplemented technical controls — it’s weaknesses in your user security training program. There is a widespread assumption that policies can be documented and then tucked away, only to resurface every year or two when people sign off on their employee handbooks. Executives and IT professionals tend to believe that all is well in terms of security during all the time in between.
Building an Effective User Security Training Program
Let’s get one thing straight: Your users aren’t as interested in security as you think they are, especially given the way you are likely conveying it to them. Visiting the subject of security once every year or two, glossing over it in HR meetings or lunch and learns, or expecting people to abide by those comical posters you have posted around the office is simply not enough.
Still, in my experience, that’s how most organizations treat user security training. Rather than approaching it like a program, it’s seen as a mere checkbox — and we all know how well checkboxes work in this field. Sure, users are quick to agree with whatever policies you put in front of them but, based on what I’ve seen and heard, most people assume that security is not their job. In fact, doing their own work is their job, and this often requires taking the path of least resistance in terms of security to get work done.
Setting User Expectations
You’ve heard the saying that hackers hack because they can. Well, the same goes for your users in terms of doing dumb things related to security: They do it because they can. Sometimes it’s out of ignorance; other times, there’s malicious intent. I believe that, in a lot of cases, user expectations have not been properly set. Still, there are too many situations where users are making actual security decisions on behalf of your department or the business as a whole, and that’s bad for everyone. I think that most people simply don’t understand what you are trying to accomplish with security, and that’s the real problem.
If you’re going to improve your security program, you cannot simply do more of whatever type of user security training you’re currently conducting and expect things to change. More paperwork, more rules and more stuff to remember never helps anyone. If you want to get your users on board with your security initiatives, you have to stop being boring and focus on being creative. An organizational email phishing program, for example, can be a core part of that. Phishing is interesting and everyone can relate to it. Yet I see a lot of IT and security teams limiting the scope of their email phishing testing, testing halfheartedly or failing to conduct phishing testing at all.
Asking the Right Questions
It’s not just about email phishing. It’s about educating users on what they should and should not be doing, as well as what’s going on in terms of security across the organization and the industry in which you operate. How many incidents were detected and stopped? How are you using technology to prevent the most common breaches? What business deals have you won because you are focusing on security as a competitive differentiator? How well did you pass your most recent audit? From consequences to rewards, why does security matter to the business? You need to answer these types of questions and convey this information to your users as if they were part of your team.
Security has to stop being an us-versus-them business function. It also has to stop being boring. Instead of creating complexity and getting in the way of your users, figure out how you can have meaningful and ongoing communications with them regarding the cool and fun side security. If people have to hear about security, that’s the kind of stuff they want. It’s a positive approach, not unlike what we’re taught to do with young children. Instead of saying “no” repeatedly, you must get them involved, explain to them — in their language — what you’re trying to accomplish, and then reward them when you catch them doing things right.
Do Something Different
I’m not convinced that user security training is a magic bullet solution to enterprise security challenges. However, the current approach that I see most organizations taking is not cutting it. I understand that most of us in this field are not HR professionals, nor are we necessarily experts in content development and training, so it’s important to get other people inside the organization involved or hire the right people to help you.
Do something different with your user security training program. Do it now and do it often. It’s not going to fix all of your security challenges, but if you continue with the same old method, it will most definitely hinder things over the long haul.
Listen to the podcast series: Take back control of your Cybersecurity now
Independent Information Security Consultant