John M. Attinger, Director – Security & Training at Capensys, and Steve Williams, Director of Strategic Partnerships at MediaPro
Debate will and should continue about what role individuals and employees should play in the security effort. What is no longer a debate is that an individual’s decision making, when it comes to handling data, transferring information, and protecting devices, can have a major impact on an organization of any size. In today’s hyper-connected world there is an ongoing clash between personal and professional tasks – an individual’s digital life and their attention is often distributed across a number of personal and professional devices. These interconnected variables have created an environment in which a single connection to a rogue network or just one poor decision with a malicious attachment can result in an array of incidents ranging from ransomware to credential theft and many things in between.
Though controls, policies, and system defenses will always play a critical role in minimizing or reducing the impact of these incidents, it’s time for firms to fully embrace the positive influence that encouragement and involvement can play when it comes to the security and privacy decisions that people make.
At its core, technology can accelerate productivity and improve both life and business experiences. In-person meetings and bland voice based teleconferences have been augmented and are often entirely replaced by interactive “virtual” meetings that allow for live collaboration, screen sharing, and live video feeds. Search engines and social networks are turning phone books into historical artifacts, and seeing a person without a mobile device is becoming an anomaly. Hailing a cab in the rain while shivering? All but gone – there’s an app for that. People are willing to rapidly adopt any technology that they perceive will make their life a better or even more enjoyable. These technologies are good; actually, they are great and have positively transformed the way we work and what we are capable of producing.
So why is it such a struggle to get users to adopt basic behaviors and best practices that can virtually eliminate the damage done by the usual suspects: phishing, social engineering, and even lost devices? There’s no single answer. Were it that easy, we’d all be one blog post or software license away from the “cure” (hint: be very suspicious of anyone that claims to have the cure!). Having collaborated on countless security awareness/data privacy programs for the past 4 years, I’d contend that our messaging and approach still needs some work. If our goal is actual behavior modification, it would be nice if we could sit back at a safe distance and steer people towards the light only using tools like phishing simulators, online training, and email based security alerts. While these tools play an important role in raising visibility and increasing competency, they are not a replacement for the life blood of any effort to drive change: personal engagement.
Our colleagues that are not in direct security/risk/compliance roles don’t wake up every morning thinking about data loss or privacy breaches, like us. Our colleagues don’t open email messages at all hours and study the headers and IP details to determine the source of the strange message, like us. Our colleagues also do not head into a job performance review thinking about how their ability to protect company information and trade secrets from outsiders will be evaluated; maybe they should, but they don’t. Hoping that we can change these behaviors “remotely” is running face first into a stiff wind. We need another approach to drive the type of change that makes a meaningful difference. Can we learn from other examples where people commit time, devote energy, and take action on projects that are not associated with their core job function? Yes.
Company based health and wellness programs, community service projects, and fund raisers are excellent examples of activities that occur with frequency and success within organizations of all sizes. Most of these activities share a common quality: they are optional; people can choose to commit or flat out ignore them. A former colleague of mine recently described a pre-work event – dozens of female colleagues met with over a hundred young girls from a variety of local schools at a career discover event. They met, talked, and shared professional career path options with the young stars… unpaid and optional, but very well attended. What was the driver? Engagement. The program was spearheaded by several individuals who relentlessly recruited internal team members to commit and attend, and reached out to the school community. The result – a successful event that had real impact.
So, what do the outcomes of security engagement look like? Last month a colleague in a law firm overheard a counterpart complaining to a peer about the IT Department. The complaint? IT had started renaming his client folders on a shared drive using hexadecimal codes and complex character strings. The colleague commented that it was highly unlikely that IT would rename his folders without prior notification, and asked to see an example. He immediately called the security team who discovered that ransomware file encryption was actively underway. Should there have been an automated alert or preventative control to stop the file encryption? Probably. But when a control falls short or something unusual occurs, an employee that is engaged will act while the employee that is unengaged will tune out the colleague’s conversation about renamed folders.
Security and privacy engagement is a contact sport, not a remote activity. You can’t move behavior and drive change in the absence of shared ownership and a team that is committed to helping drive the message. Sending a fake phishing email to colleagues is a security awareness activity and one that can play a role, but getting involved with influential members of your organization to earn buy-in and gain support and mindshare for your security and privacy program is real security engagement. So are town hall sessions that paint an accurate picture of the threat landscape, the firm’s vulnerabilities, and the drivers behind the “push” for security (esp. the firm’s clients). And speaking at attorney lunches and secretary meetings, or hosting a “Security Awareness Month.” Even better – pushing pinpoint optional micro-learning to your users when a real-world security event, such as the Wannacry ransomware attack, is top of the news. And when a user does the “right thing” and demonstrates engagement with security awareness, celebrate the win to your wider user community. The outcomes of these types of security engagements are the game changers that we seek.
“For additional insight on security awareness engagement, Capensys hosted a webinar titled How to Build & Maintain an Engaging Program (with everything else that you have to do!).”