A confused marketing team member nervously buys $1,000 worth of Amazon gift cards after receiving purchasing instructions via text from the "boss." The entire sales team mindlessly accepts cookies while visiting competitor websites and skips through privacy disclosures when downloading new apps to gather business intel. Your phone vibrates, and it's a client. They're demanding to know why sensitive customer information is in an unsecured Google Doc.
These panic-inducing scenarios are familiar to most modern IT and security leaders and share something in common. Each hypothetical breakdown is the result of employees — and the digital public as a whole — being lulled into a false sense of security regarding their online behaviors.
While IT and security leaders are aware of the accelerating landscape of digital threats, employees are less prepared, creating a risk for every organization.
Security Theater Distracts From Steady Improvements
We've seen the introduction of major privacy legislation to curb the rise in digital threats, which I fully support. However, sweeping laws like GDPR and regulations established stateside have had an effect or outcome more as security theater than as actual protections.
What's security theater? It's a set of rules or guidelines that offer the appearance of security but don't guarantee it. Users aren't blameless, either. Security theater can also occur when consumers grow apathetic about well-intentioned protections. For example, while cookie notifications demonstrate transparency about how and where websites track and use customer data, does anyone read the full privacy statements? Do users understand the consequences of what they click? Or are they too inundated with notifications to notice?
Until digital literacy and safety standards become mandatory in school curricula, the best way to ensure your employees are well-versed in the risks of their online actions is reframing thinking through improved security training and education.
As a technology leader, you know each employee is an endpoint capable of inviting risk into the organization. But that also means employees can become safeguards against threats, too — when adequately prepared and in the right headspace.
Remove the Smoke and Mirrors
In addition to mandatory and routine training and security tools, the best way to ensure employees are vigilant about potential risks is to help them reframe their online mindset while encouraging them to leverage critical thinking in evaluating and defending against internal and external threats. Helping employees develop a healthier understanding of what's at stake when they engage online — and the value of the information they interact with once there — can strengthen digital habits and build more mindful, proactive thinking when faced with a threat or even before one occurs.
Here are three mindset shifts to start with:
- Understand data's fundamental value. Employees — and most online consumers — don't give much thought before hitting "accept all" when encountering cookies. Similarly, users skim or even skip privacy notices on apps or when signing up for services. These behaviors can feel perfunctory because these types of security notifications are nonstop when we engage online — and because "accepting" doesn't often seem like the value exchange that it is. If you can help employees understand the value of their data, they're more likely to realize how precious every online decision is and think more critically before clicking and accepting. Considering that one in three US workers has little to no skills using digital devices, a significant missing component to more robust security is workplace digital literacy training that focuses on the specific threats faced by your organization and industry.
- Act with intention. When people realize the value of their data, they're more vigilant and protective of it. But your employees should also feel encouraged to proactively ask questions about risks and formulate better ways to protect themselves. For example, your teams should have access to and familiarity with a standardized communication plan for when they receive phishing texts or emails. Instead of simply deleting these threats, all employees should screenshot communications, forward images to the department in charge of security, and immediately alert fellow team members of the text. A discerning eye for security threats is only the first step — next, your employees should feel prepared to handle suspicious activity when encountered.
- Follow data best practices, no matter the context. It's important to determine if your employees understand that customer data is sacred no matter how far removed from your actual clients. A good example of this concept comes from where I sit in legal tech. Our law firm customers deal daily with topics including divorce, bankruptcy, complex real-estate purchases, and more with their clients. Naturally, these legal proceedings cover a tremendous amount of personal, sensitive data stored on our platform. We take the protection of this information extremely seriously, knowing that a breach of this information cannot be undone and may ruin lives, and we work to improve our protective mechanisms. Protection against threats takes a team effort. As a result, we encourage our law firm clients to ensure that all their employees understand their role in protecting private information. We inform customers of security best practices — like using a password manager and enabling two-factor authentication, avoiding sending or sharing documents from unsecured accounts or devices, and putting contingency plans in place if sensitive client information is accidentally shared.
When employees understand how their day-to-day behaviors — no matter how small — can expose sensitive data, they're less likely to introduce risk in the first place. While you strive to train employees on how to protect data in every scenario, building a habit of vigilance reduces the amount of reactive problem-solving required in the first place.
Improving your employees' fundamental understanding and respect for the value of data shields your organization from digital threats. But without reinforcing this understanding through ongoing mindset shifts, the status quo and security theater of repetitive privacy notifications will make employees feel more complacent. With complacency comes risk — so, are your employees thinking critically about their online behaviors?
And are you thinking critically about it, too?