Vulnerabilities / Threats

6/18/2018
10:30 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Tips for Driving User Buy-in to Security Policies

Teaching users why it's important to commit to security controls is a far more effective strategy than simply demanding that they follow them. Here's how.

IT usage and security policies can be an annoyance for employees who simply see them as draconian roadblocks for their daily activities. With the rise of privacy tools, such as VPNs and privacy-focused web browsers, it's never been easier for users to circumvent organizational controls and, in turn, increase a company's risk profile.

Case in point: A 2018 Insider Threat Intelligence Report from Dtex found that last year 60% of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in 91% of assessments, personal email usage was occurring on company machines, which significantly increases the chances of a phishing attack affecting corporate resources. Even the best corporate security policies mean nothing if users don't follow them.

That's why teaching users why it's important to commit to security policies and controls is a far more effective strategy than simply demanding that they follow them. For example, relaxing rules, gamifying education and testing, or simply explaining the "why" behind rules can do a lot to help drive employee acceptance.

By making a few changes in how you implement your security rules, you can make your company more secure. Here are three tips.

Tip 1: Relax Security Rules
As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn't realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.

Tip 2: Engage Users with Meaningful Training
All it takes is one unaware user clicking a malicious link in a phishing email to breach a company. Employee training is a critical part of every security plan, so engaging users with interesting and effective security awareness training programs is crucial. Gamification is also a great way to boost interest and get employees to pay attention to the important information. Changing out the slide deck for a "find the phish" game can help keep users engaged in the content and focused on the ultimate goal. Implementing a points system with a training leaderboard and prizes can encourage employees to pay attention and pass knowledge assessments. 

Tip 3: Explain Why
Security pros have all encountered users who ignore security rules because they don't understand the true implications behind them. Explaining the purpose behind your security policies is vital to bringing these users on board. Instead of simply blocking access to personal email websites, like Gmail or Hotmail, explain the risks these sites pose to the organization when users bypass anti-phishing protections. Demonstrating how easy it is to brute-force short passwords might help them understand why longer passwords are vital. Discussing the actual impact of ransomware can work a lot better than just telling your employees to use network backup locations.

These exercises are equally important for the policy creators. If you can't define a clear "why" for a policy rule, then it probably shouldn't be a rule. It's easy for security professionals to go for the "Fort Knox" approach to security, but different organizations have different threat models. A policy that works great for a Fortune 500 company might not be appropriate for a 12-person shop. Regardless, a little bit of "why" education can go a long way in making users more amenable to new policies.

When it comes to security, the goal should not be to create absolute security, but to be as secure as possible given the demands of the business model and the user group you have to work with. The best security plan is one that everyone can get on board with, and that doesn't have to be difficult to achieve.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/23/2018 | 1:41:25 AM
Re: Rules are created for betterment
I personally don't think that there are very many companies or employees who enjoy having security protocol, but hopefully they understand the necessity of the framework being in place. At the end of the day, all of these measures are put in and implemented in order to safeguard the information inside the company or even just to protect user and customer data. Surely these people can see that there is merit in protecting that if they put themselves in the customer's shoes...
dwayne22
50%
50%
dwayne22,
User Rank: Apprentice
7/5/2018 | 3:18:38 AM
Rules are created for betterment
The rules are created for betterment they should be followed and especially the security policies but still, they use VPNs and personal email to access other websites because of that it's really not easy for users to circumvent organizational controls. There should a rule for using VPN in the USA and also for other countries. 
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.