Cloud

9/28/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Data Security Improves When You Engage Employees in the Process

When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users' risky behaviors.

Even with best-in-class data breach protection and prevention technology, strong security and privacy practices start internally — with your employees. There are several ways to go about this, but based on my work in the field for over 10 years, the most effective ways to lower a company's risk exposure begin and end with a positive approach. Here are three examples:

1. Give Employees a Reason to Care
Communicating security messages that are relatable and provide actionable steps employees can take to protect information and respond to threats is more effective than authoritative commands. Encouraging a can-do attitude also goes a long way. When employees aren't afraid of being punished for mistakes, like accidentally clicking on a phishing link, they're more likely to exhibit positive behaviors. You can reinforce these behaviors by reminding employees that information security is a team effort for the protection of the entire company.

Another way to engage employees is a rewards system for good behavior. These range from physical rewards (monetary or otherwise) to recognition (a lottery system or nomination process for recognizing your peers) and even gamification (a friendly competition that tracks performance on a leaderboard). Combining two of these concepts, Salesforce, a cloud computing company, piloted a security awareness gamification initiative focused on positive recognition rather than negative reinforcement. According to chief trust officer Patrick Heim, after 18 months, participants were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.

2. Offer Choices, not Mandates
Reframe the conversation to focus on a partnership with employees, giving them multiple strategies for protecting information and responding to potential threats. By offering choices and getting their buy-in, you can make employees feel like part of the solution. For example, instead of saying, "You must adopt this security measure," try saying "Here are four options we recommend, and you can choose the one you're most comfortable using." Employees learn in different ways, so it can be helpful to give them multiple ways to achieve the same goal of enhancing security with secure passwords, for example, and complying with company policies.

A great example of inclusive programming is anti-phishing training, which teaches employees to identify fraudulent attempts to obtain sensitive information electronically, often for malicious reasons, under the guise of a trustworthy source. In order for this training to be successful, employees must learn how to make choices when they receive potential phishing emails. Experiential training with real-world simulations — where employees build their knowledge base and ability to make choices in the moment, as it relates to them and their learning style — has proved to be effective. According to the research from Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate compared with 5% relying on lectures.

Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. There are several strategies for coming up with a strong and unique password, allowing users to memorize them in different ways. One way is to think of an everyday phrase that is easy to remember, such as "My favorite action movie is 2 Fast 2 Furious!" Then grab the first digit of each word, which becomes "Mfami2F2F!"

3. It's About Security, not Perfection
Historically, companies have used deterrent strategies or fear appeals to discourage risky behaviors. Today, it's more effective to encourage positive behaviors by finding out what motivates employees and then communicating security messages that align with those motivations. At Family Insurance Solutions, for example, IT security administrator Jordan Schroeder noted in an interview that employees who were once his biggest concern are now his best partners in security because, in response to phishing and break-in attempts, he relies on positive feedback and messages of encouragement when they do the right thing. When they do the wrong thing, he shows them the correct behavior. Unlike Salesforce, there is no gamification, but the results are evident in employees' behavior as they educate themselves and no longer hide what they did wrong for fear of reprisal.

When it comes to protecting information, we can all do better. But if employees fail, it's important they feel encouraged to immediately report it and do the right thing. At the end of the day, perfection is not the goal — it's lowering your organization's risk exposure.

Related Content:

 

Black Hat Europe returns to London Dec., 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Robert E. Crossler, an assistant professor of information systems, joined the Department of Management, Information Systems & Entrepreneurship in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor's degree in information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rob.crossler@wsu.edu
50%
50%
[email protected],
User Rank: Author
9/28/2018 | 2:59:04 PM
Re: Passwords
Security keys are a great alternative. However, passwords are not going away any time soon so having a strategy to increase password behavior is a necessary step as well.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:30:30 PM
Minimizing the risk
At the end of the day, perfection is not the goal it's lowering your organization's risk exposure. That is true, minimizing the risk. We will not be able to avoid it all together regardless.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:28:22 PM
Passwords
Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. How about no password, use security keys, i know challenging but nothing is worst than passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:26:24 PM
choices?
"Here are four options we recommend, and you can choose the one you're most comfortable using." This is really good thinking. Sometime there is no choices tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:24:40 PM
Reward
Another way to engage employees is a rewards system for good behavior. Rewarding good behavior is the way to go in my view. So if they report a phishing email that is one award for example,
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:22:49 PM
Like the list
I like the list, a specially Give Employees a Reason to Care is the one that would make a difference I would say.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.