Vulnerabilities / Threats

6/18/2018
10:30 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Tips for Driving User Buy-in to Security Policies

Teaching users why it's important to commit to security controls is a far more effective strategy than simply demanding that they follow them. Here's how.

IT usage and security policies can be an annoyance for employees who simply see them as draconian roadblocks for their daily activities. With the rise of privacy tools, such as VPNs and privacy-focused web browsers, it's never been easier for users to circumvent organizational controls and, in turn, increase a company's risk profile.

Case in point: A 2018 Insider Threat Intelligence Report from Dtex found that last year 60% of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in 91% of assessments, personal email usage was occurring on company machines, which significantly increases the chances of a phishing attack affecting corporate resources. Even the best corporate security policies mean nothing if users don't follow them.

That's why teaching users why it's important to commit to security policies and controls is a far more effective strategy than simply demanding that they follow them. For example, relaxing rules, gamifying education and testing, or simply explaining the "why" behind rules can do a lot to help drive employee acceptance.

By making a few changes in how you implement your security rules, you can make your company more secure. Here are three tips.

Tip 1: Relax Security Rules
As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn't realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.

Tip 2: Engage Users with Meaningful Training
All it takes is one unaware user clicking a malicious link in a phishing email to breach a company. Employee training is a critical part of every security plan, so engaging users with interesting and effective security awareness training programs is crucial. Gamification is also a great way to boost interest and get employees to pay attention to the important information. Changing out the slide deck for a "find the phish" game can help keep users engaged in the content and focused on the ultimate goal. Implementing a points system with a training leaderboard and prizes can encourage employees to pay attention and pass knowledge assessments. 

Tip 3: Explain Why
Security pros have all encountered users who ignore security rules because they don't understand the true implications behind them. Explaining the purpose behind your security policies is vital to bringing these users on board. Instead of simply blocking access to personal email websites, like Gmail or Hotmail, explain the risks these sites pose to the organization when users bypass anti-phishing protections. Demonstrating how easy it is to brute-force short passwords might help them understand why longer passwords are vital. Discussing the actual impact of ransomware can work a lot better than just telling your employees to use network backup locations.

These exercises are equally important for the policy creators. If you can't define a clear "why" for a policy rule, then it probably shouldn't be a rule. It's easy for security professionals to go for the "Fort Knox" approach to security, but different organizations have different threat models. A policy that works great for a Fortune 500 company might not be appropriate for a 12-person shop. Regardless, a little bit of "why" education can go a long way in making users more amenable to new policies.

When it comes to security, the goal should not be to create absolute security, but to be as secure as possible given the demands of the business model and the user group you have to work with. The best security plan is one that everyone can get on board with, and that doesn't have to be difficult to achieve.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/23/2018 | 1:41:25 AM
Re: Rules are created for betterment
I personally don't think that there are very many companies or employees who enjoy having security protocol, but hopefully they understand the necessity of the framework being in place. At the end of the day, all of these measures are put in and implemented in order to safeguard the information inside the company or even just to protect user and customer data. Surely these people can see that there is merit in protecting that if they put themselves in the customer's shoes...
dwayne22
50%
50%
dwayne22,
User Rank: Apprentice
7/5/2018 | 3:18:38 AM
Rules are created for betterment
The rules are created for betterment they should be followed and especially the security policies but still, they use VPNs and personal email to access other websites because of that it's really not easy for users to circumvent organizational controls. There should a rule for using VPN in the USA and also for other countries. 
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.