Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/18/2018
10:30 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Tips for Driving User Buy-in to Security Policies

Teaching users why it's important to commit to security controls is a far more effective strategy than simply demanding that they follow them. Here's how.

IT usage and security policies can be an annoyance for employees who simply see them as draconian roadblocks for their daily activities. With the rise of privacy tools, such as VPNs and privacy-focused web browsers, it's never been easier for users to circumvent organizational controls and, in turn, increase a company's risk profile.

Case in point: A 2018 Insider Threat Intelligence Report from Dtex found that last year 60% of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in 91% of assessments, personal email usage was occurring on company machines, which significantly increases the chances of a phishing attack affecting corporate resources. Even the best corporate security policies mean nothing if users don't follow them.

That's why teaching users why it's important to commit to security policies and controls is a far more effective strategy than simply demanding that they follow them. For example, relaxing rules, gamifying education and testing, or simply explaining the "why" behind rules can do a lot to help drive employee acceptance.

By making a few changes in how you implement your security rules, you can make your company more secure. Here are three tips.

Tip 1: Relax Security Rules
As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn't realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.

Tip 2: Engage Users with Meaningful Training
All it takes is one unaware user clicking a malicious link in a phishing email to breach a company. Employee training is a critical part of every security plan, so engaging users with interesting and effective security awareness training programs is crucial. Gamification is also a great way to boost interest and get employees to pay attention to the important information. Changing out the slide deck for a "find the phish" game can help keep users engaged in the content and focused on the ultimate goal. Implementing a points system with a training leaderboard and prizes can encourage employees to pay attention and pass knowledge assessments. 

Tip 3: Explain Why
Security pros have all encountered users who ignore security rules because they don't understand the true implications behind them. Explaining the purpose behind your security policies is vital to bringing these users on board. Instead of simply blocking access to personal email websites, like Gmail or Hotmail, explain the risks these sites pose to the organization when users bypass anti-phishing protections. Demonstrating how easy it is to brute-force short passwords might help them understand why longer passwords are vital. Discussing the actual impact of ransomware can work a lot better than just telling your employees to use network backup locations.

These exercises are equally important for the policy creators. If you can't define a clear "why" for a policy rule, then it probably shouldn't be a rule. It's easy for security professionals to go for the "Fort Knox" approach to security, but different organizations have different threat models. A policy that works great for a Fortune 500 company might not be appropriate for a 12-person shop. Regardless, a little bit of "why" education can go a long way in making users more amenable to new policies.

When it comes to security, the goal should not be to create absolute security, but to be as secure as possible given the demands of the business model and the user group you have to work with. The best security plan is one that everyone can get on board with, and that doesn't have to be difficult to achieve.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/23/2018 | 1:41:25 AM
Re: Rules are created for betterment
I personally don't think that there are very many companies or employees who enjoy having security protocol, but hopefully they understand the necessity of the framework being in place. At the end of the day, all of these measures are put in and implemented in order to safeguard the information inside the company or even just to protect user and customer data. Surely these people can see that there is merit in protecting that if they put themselves in the customer's shoes...
dwayne22
50%
50%
dwayne22,
User Rank: Apprentice
7/5/2018 | 3:18:38 AM
Rules are created for betterment
The rules are created for betterment they should be followed and especially the security policies but still, they use VPNs and personal email to access other websites because of that it's really not easy for users to circumvent organizational controls. There should a rule for using VPN in the USA and also for other countries. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...