Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/28/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Data Security Improves When You Engage Employees in the Process

When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users' risky behaviors.

Even with best-in-class data breach protection and prevention technology, strong security and privacy practices start internally — with your employees. There are several ways to go about this, but based on my work in the field for over 10 years, the most effective ways to lower a company's risk exposure begin and end with a positive approach. Here are three examples:

1. Give Employees a Reason to Care
Communicating security messages that are relatable and provide actionable steps employees can take to protect information and respond to threats is more effective than authoritative commands. Encouraging a can-do attitude also goes a long way. When employees aren't afraid of being punished for mistakes, like accidentally clicking on a phishing link, they're more likely to exhibit positive behaviors. You can reinforce these behaviors by reminding employees that information security is a team effort for the protection of the entire company.

Another way to engage employees is a rewards system for good behavior. These range from physical rewards (monetary or otherwise) to recognition (a lottery system or nomination process for recognizing your peers) and even gamification (a friendly competition that tracks performance on a leaderboard). Combining two of these concepts, Salesforce, a cloud computing company, piloted a security awareness gamification initiative focused on positive recognition rather than negative reinforcement. According to chief trust officer Patrick Heim, after 18 months, participants were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.

2. Offer Choices, not Mandates
Reframe the conversation to focus on a partnership with employees, giving them multiple strategies for protecting information and responding to potential threats. By offering choices and getting their buy-in, you can make employees feel like part of the solution. For example, instead of saying, "You must adopt this security measure," try saying "Here are four options we recommend, and you can choose the one you're most comfortable using." Employees learn in different ways, so it can be helpful to give them multiple ways to achieve the same goal of enhancing security with secure passwords, for example, and complying with company policies.

A great example of inclusive programming is anti-phishing training, which teaches employees to identify fraudulent attempts to obtain sensitive information electronically, often for malicious reasons, under the guise of a trustworthy source. In order for this training to be successful, employees must learn how to make choices when they receive potential phishing emails. Experiential training with real-world simulations — where employees build their knowledge base and ability to make choices in the moment, as it relates to them and their learning style — has proved to be effective. According to the research from Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate compared with 5% relying on lectures.

Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. There are several strategies for coming up with a strong and unique password, allowing users to memorize them in different ways. One way is to think of an everyday phrase that is easy to remember, such as "My favorite action movie is 2 Fast 2 Furious!" Then grab the first digit of each word, which becomes "Mfami2F2F!"

3. It's About Security, not Perfection
Historically, companies have used deterrent strategies or fear appeals to discourage risky behaviors. Today, it's more effective to encourage positive behaviors by finding out what motivates employees and then communicating security messages that align with those motivations. At Family Insurance Solutions, for example, IT security administrator Jordan Schroeder noted in an interview that employees who were once his biggest concern are now his best partners in security because, in response to phishing and break-in attempts, he relies on positive feedback and messages of encouragement when they do the right thing. When they do the wrong thing, he shows them the correct behavior. Unlike Salesforce, there is no gamification, but the results are evident in employees' behavior as they educate themselves and no longer hide what they did wrong for fear of reprisal.

When it comes to protecting information, we can all do better. But if employees fail, it's important they feel encouraged to immediately report it and do the right thing. At the end of the day, perfection is not the goal — it's lowering your organization's risk exposure.

Related Content:

 

Black Hat Europe returns to London Dec., 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Robert E. Crossler, an assistant professor of information systems, joined the Department of Management, Information Systems & Entrepreneurship in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor's degree in information ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rob.crossler@wsu.edu
50%
50%
[email protected],
User Rank: Author
9/28/2018 | 2:59:04 PM
Re: Passwords
Security keys are a great alternative. However, passwords are not going away any time soon so having a strategy to increase password behavior is a necessary step as well.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:30:30 PM
Minimizing the risk
At the end of the day, perfection is not the goal it's lowering your organization's risk exposure. That is true, minimizing the risk. We will not be able to avoid it all together regardless.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:28:22 PM
Passwords
Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. How about no password, use security keys, i know challenging but nothing is worst than passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:26:24 PM
choices?
"Here are four options we recommend, and you can choose the one you're most comfortable using." This is really good thinking. Sometime there is no choices tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:24:40 PM
Reward
Another way to engage employees is a rewards system for good behavior. Rewarding good behavior is the way to go in my view. So if they report a phishing email that is one award for example,
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:22:49 PM
Like the list
I like the list, a specially Give Employees a Reason to Care is the one that would make a difference I would say.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5607
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...