Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/28/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Data Security Improves When You Engage Employees in the Process

When it comes to protecting information, we can all do better. But encouraging a can-do attitude goes a long way toward discouraging users' risky behaviors.

Even with best-in-class data breach protection and prevention technology, strong security and privacy practices start internally — with your employees. There are several ways to go about this, but based on my work in the field for over 10 years, the most effective ways to lower a company's risk exposure begin and end with a positive approach. Here are three examples:

1. Give Employees a Reason to Care
Communicating security messages that are relatable and provide actionable steps employees can take to protect information and respond to threats is more effective than authoritative commands. Encouraging a can-do attitude also goes a long way. When employees aren't afraid of being punished for mistakes, like accidentally clicking on a phishing link, they're more likely to exhibit positive behaviors. You can reinforce these behaviors by reminding employees that information security is a team effort for the protection of the entire company.

Another way to engage employees is a rewards system for good behavior. These range from physical rewards (monetary or otherwise) to recognition (a lottery system or nomination process for recognizing your peers) and even gamification (a friendly competition that tracks performance on a leaderboard). Combining two of these concepts, Salesforce, a cloud computing company, piloted a security awareness gamification initiative focused on positive recognition rather than negative reinforcement. According to chief trust officer Patrick Heim, after 18 months, participants were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.

2. Offer Choices, not Mandates
Reframe the conversation to focus on a partnership with employees, giving them multiple strategies for protecting information and responding to potential threats. By offering choices and getting their buy-in, you can make employees feel like part of the solution. For example, instead of saying, "You must adopt this security measure," try saying "Here are four options we recommend, and you can choose the one you're most comfortable using." Employees learn in different ways, so it can be helpful to give them multiple ways to achieve the same goal of enhancing security with secure passwords, for example, and complying with company policies.

A great example of inclusive programming is anti-phishing training, which teaches employees to identify fraudulent attempts to obtain sensitive information electronically, often for malicious reasons, under the guise of a trustworthy source. In order for this training to be successful, employees must learn how to make choices when they receive potential phishing emails. Experiential training with real-world simulations — where employees build their knowledge base and ability to make choices in the moment, as it relates to them and their learning style — has proved to be effective. According to the research from Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate compared with 5% relying on lectures.

Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. There are several strategies for coming up with a strong and unique password, allowing users to memorize them in different ways. One way is to think of an everyday phrase that is easy to remember, such as "My favorite action movie is 2 Fast 2 Furious!" Then grab the first digit of each word, which becomes "Mfami2F2F!"

3. It's About Security, not Perfection
Historically, companies have used deterrent strategies or fear appeals to discourage risky behaviors. Today, it's more effective to encourage positive behaviors by finding out what motivates employees and then communicating security messages that align with those motivations. At Family Insurance Solutions, for example, IT security administrator Jordan Schroeder noted in an interview that employees who were once his biggest concern are now his best partners in security because, in response to phishing and break-in attempts, he relies on positive feedback and messages of encouragement when they do the right thing. When they do the wrong thing, he shows them the correct behavior. Unlike Salesforce, there is no gamification, but the results are evident in employees' behavior as they educate themselves and no longer hide what they did wrong for fear of reprisal.

When it comes to protecting information, we can all do better. But if employees fail, it's important they feel encouraged to immediately report it and do the right thing. At the end of the day, perfection is not the goal — it's lowering your organization's risk exposure.

Related Content:

 

Black Hat Europe returns to London Dec., 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Robert E. Crossler, an assistant professor of information systems, joined the Department of Management, Information Systems & Entrepreneurship in the Carson College of Business at Washington State University in July 2016. He obtained his bachelor's degree in information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rob.crossler@wsu.edu
50%
50%
[email protected],
User Rank: Author
9/28/2018 | 2:59:04 PM
Re: Passwords
Security keys are a great alternative. However, passwords are not going away any time soon so having a strategy to increase password behavior is a necessary step as well.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:30:30 PM
Minimizing the risk
At the end of the day, perfection is not the goal it's lowering your organization's risk exposure. That is true, minimizing the risk. We will not be able to avoid it all together regardless.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:28:22 PM
Passwords
Giving employees a choice of password management software to use to achieve company security may also foster an environment of partnership versus rigid control. How about no password, use security keys, i know challenging but nothing is worst than passwords.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:26:24 PM
choices?
"Here are four options we recommend, and you can choose the one you're most comfortable using." This is really good thinking. Sometime there is no choices tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:24:40 PM
Reward
Another way to engage employees is a rewards system for good behavior. Rewarding good behavior is the way to go in my view. So if they report a phishing email that is one award for example,
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/28/2018 | 2:22:49 PM
Like the list
I like the list, a specially Give Employees a Reason to Care is the one that would make a difference I would say.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.