How To Change Security Behaviors: Information Security
Let’s be honest, employees make mistakes. And sometimes those mistakes have catastrophic consequences.
Everybody has heard stories about people accidentally leaving an unencrypted work laptop on the train, or on the seat of their car. Heck, on a busy day we could even imagine ourselves doing it.
But with industry regulators finally starting to find their teeth — and the GDPR is now in full force — now is a really bad time to play fast and loose with sensitive information.
Of course, persuading employees to take information security seriously is far from easy. After all, most people already have too many things to think about, so if you want them to pay attention to your priorities you’re going to need to work for their attention.
PhishLabs General Security Training 0001: Securing The Office-Ish
Out with the Old
One of the biggest reasons why employees fail to take information security seriously is the nature of typical awareness training sessions. They’re infrequent, often largely irrelevant, and extremely boring.
Is it any wonder nobody cares?
But here’s the thing. If you made information security training interesting, relevant, and frequent, you’d be amazed by the willingness of most employees to engage with the subject.
So here’s our first prescription: Focus your information security training program around the concept of “micro learning” — Literally, provide your employees with short, focused, frequent training opportunities.
In simple terms, never give your employees the opportunity to “forget” about information security, but also never overwhelm them with too much knowledge in a single session. If you achieve this balance a huge part of the battle will already be won, as an employee who regularly thinks about information security is far less likely to make glaring mistakes.
Think Real Life
Micro learning is an extremely helpful concept for changing security behaviors, but it must be backed up with solid content. And how do you know which topics to cover? Simply look at the top causes of data breach in your industry, and make sure those that involve employees are thoroughly covered.
And you won’t have to look far. User error has consistently caused a huge proportion of data breaches over the past two decades. On the topic of information security, here are some common scenarios that can easily lead to breaches:
- Leaving sensitive data on public transport
- Failing to shred documents before throwing them out
- Sending emails to the wrong recipient(s)
- Speaking on the phone in public areas
- Transporting data using unencrypted devices
Keep in mind that there is a difference between what is usually taught in security awareness programs and what is genuinely valuable. For instance, many trainers love to use the “infected USB sticks left in a corporate parking lot” example… but it almost never happens. Meanwhile, employees endanger their organizations’ sensitive data every single day by not following proper data disposal methods.
So when you’re deciding on content for your program, try to make it as true to life as possible — Not only will it lead to a more powerful program, it will also keep your employees more engaged, as they are repeatedly exposed to content that’s relevant to their daily work.
Walk the Walk
Some organizations are great at talking about security… but not so good at following through. If you really want to see an improvement in employee security behaviors, you must give them the support and resources they need to act on the training you’re providing.
For instance, if you’ve identified that transporting sensitive data is an area of risk for your organization, it’s great to include advice in your training program. But at the same time, you need to follow through by providing encrypted USB sticks and laptops.
Equally, it’s important to educate employees on the need to shred sensitive documents before throwing them out. But all that training will be for nought if your employees don’t have easy access to a shredder.
Quite simply, if you combine good training with the tools necessary to so the job, you’ll be a long way towards getting the results you want.
Remember Human Nature
Here’s the thing about human nature. If something seems difficult, it probably won’t happen.
Let’s put that in context. You’ve trained your users to understand why they should shred sensitive documents before tossing them out, and you’ve bought a few shredders. All good, right?
Wrong.
If your employees have to talk all the way across an open plan office to get to the shredder, do you really think they’ll do it every time just because you asked them to? Clearly not. In fact, if we’re honest, you’d be lucky if it happened 50 percent of the time.
That’s why, just like anti-phishing training, you have to make things as easy as possible for your employees. Again, they’re busy people, and if you don’t make things easy for them they won’t happen consistently.
Another big one is the use of encrypted USB sticks to transport data — Many organizations “make them available” to employees who specifically ask for them, but they don’t go any further. As a result, when an employee suddenly needs to transport sensitive data… it’s too late. They’re stuck using an unencrypted drive.
So again, when you’re setting your training content and ensuring the necessary tools are in place, ask yourselves if you’re making life easy for your employees. If you are, there’s a great chance you’ll see serious results.
Never Stop Never Stopping
Changing security behaviors doesn’t happen overnight. People are busy with their own priorities, and it takes repeated exposure to high quality training materials to bring information security to the forefront of their minds.
So when you’re planning your program, keep in mind that this isn’t a quick fix for poor security behaviors, and it’s also not a one shot solution. There will always be new employees in need of training from scratch, and your existing employees will need constant reminders to ensure security remains at the forefront of their minds.
Simply put, if you want to minimize the dangers of human error, you must design a powerful security training program, and maintain it month after month, year after year.
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Dane Boyd. Read the original post at: https://info.phishlabs.com/blog/how-to-change-security-behaviors-information-security
