Cloud

9/28/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Data Security Improves When You Engage Employees in the Process

When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users' risky behaviors.

Even with best-in-class data breach protection and prevention technology, strong security and privacy practices start internally — with your employees. There are several ways to go about this, but based on my work in the field for over 10 years, the most effective ways to lower a company's risk exposure begin and end with a positive approach. Here are three examples:

1. Give Employees a Reason to Care
Communicating security messages that are relatable and provide actionable steps employees can take to protect information and respond to threats is more effective than authoritative commands. Encouraging a can-do attitude also goes a long way. When employees aren't afraid of being punished for mistakes, like accidentally clicking on a phishing link, they're more likely to exhibit positive behaviors. You can reinforce these behaviors by reminding employees that information security is a team effort for the protection of the entire company.

Another way to engage employees is a rewards system for good behavior. These range from physical rewards (monetary or otherwise) to recognition (a lottery system or nomination process for recognizing your peers) and even gamification (a friendly competition that tracks performance on a leaderboard). Combining two of these concepts, Salesforce, a cloud computing company, piloted a security awareness gamification initiative focused on positive recognition rather than negative reinforcement. According to chief trust officer Patrick Heim, after 18 months, participants were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.

2. Offer Choices, not Mandates
Reframe the conversation to focus on a partnership with employees, giving them multiple strategies for protecting information and responding to potential threats. By offering choices and getting their buy-in, you can make employees feel like part of the solution. For example, instead of saying, "You must adopt this security measure," try saying "Here are four options we recommend, and you can choose the one you're most comfortable using." Employees learn in different ways, so it can be helpful to give them multiple ways to achieve the same goal of enhancing security with secure passwords, for example, and complying with company policies.

A great example of inclusive programming is anti-phishing training, which teaches employees to identify fraudulent attempts to obtain sensitive information electronically, often for malicious reasons, under the guise of a trustworthy source. In order for this training to be successful, employees must learn how to make choices when they receive potential phishing emails. Experiential training with real-world simulations — where employees build their knowledge base and ability to make choices in the moment, as it relates to them and their learning style — has proved to be effective. According to the research from Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate compared with 5% relying on lectures.

Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. There are several strategies for coming up with a strong and unique password, allowing users to memorize them in different ways. One way is to think of an everyday phrase that is easy to remember, such as "My favorite action movie is 2 Fast 2 Furious!" Then grab the first digit of each word, which becomes "Mfami2F2F!"

3. It's About Security, not Perfection
Historically, companies have used deterrent strategies or fear appeals to discourage risky behaviors. Today, it's more effective to encourage positive behaviors by finding out what motivates employees and then communicating security messages that align with those motivations. At Family Insurance Solutions, for example, IT security administrator Jordan Schroeder noted in an interview that employees who were once his biggest concern are now his best partners in security because, in response to phishing and break-in attempts, he relies on positive feedback and messages of encouragement when they do the right thing. When they do the wrong thing, he shows them the correct behavior. Unlike Salesforce, there is no gamification, but the results are evident in employees' behavior as they educate themselves and no longer hide what they did wrong for fear of reprisal.

When it comes to protecting information, we can all do better. But if employees fail, it's important they feel encouraged to immediately report it and do the right thing. At the end of the day, perfection is not the goal — it's lowering your organization's risk exposure.

Related Content:

 

Black Hat Europe returns to London Dec., 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Robert E. Crossler, an assistant professor of information systems, joined the Department of Management, Information Systems & Entrepreneurship in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor's degree in information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rob.crossler@wsu.edu
50%
50%
[email protected],
User Rank: Author
9/28/2018 | 2:59:04 PM
Re: Passwords
Security keys are a great alternative. However, passwords are not going away any time soon so having a strategy to increase password behavior is a necessary step as well.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:30:30 PM
Minimizing the risk
At the end of the day, perfection is not the goal it's lowering your organization's risk exposure. That is true, minimizing the risk. We will not be able to avoid it all together regardless.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:28:22 PM
Passwords
Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. How about no password, use security keys, i know challenging but nothing is worst than passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:26:24 PM
choices?
"Here are four options we recommend, and you can choose the one you're most comfortable using." This is really good thinking. Sometime there is no choices tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:24:40 PM
Reward
Another way to engage employees is a rewards system for good behavior. Rewarding good behavior is the way to go in my view. So if they report a phishing email that is one award for example,
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:22:49 PM
Like the list
I like the list, a specially Give Employees a Reason to Care is the one that would make a difference I would say.
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11320
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the 192.168.51.1 address.
CVE-2019-11321
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
CVE-2019-11322
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
CVE-2019-8999
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
CVE-2018-17168
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).