Want Your Staff To Take IT Security Seriously? Speak Their Language!

Staff Security

Let’s face it, IT security training can be a chore. Staff switch off because it doesn’t help them further their career and it gets in the way of day-to-day activities, and the IT department gets bored repeating the same messages over and over again to employees who continue to ignore them.

But the messages are important because users are vulnerable. According to Adam Cotton, a cyber security analyst at Criterion Systems, they are the most often exploited vulnerability used in an attack. And with 300,000 internal security breaches in the UK alone last year, it’s hard to deny that vulnerability.

Why Employees Break The Rules

It’s easy to see why employees flout company regulation on IT security. In the IS Decisions Insider Threat Peer Report, which gives rare insights into views on internal security from a number of senior security and IT professionals, one respondent noted that older users tend to disregard security measures because they don’t fully understand and younger people tend to disregard them because it slows them down.

There are plenty of examples of this “where’s-the-harm-in-that?” attitude. If a person wants to print a document out the office, they can give their password to someone else who is in the office to print it for them. Bob’s your uncle, we have a printed file, but the person who shared their password doesn’t think about the potential consequences of their recent security breach.

The reason why employees tend to disregard internal security is because they don’t fully understand the seriousness of their actions, which could be partially because of the IT department’s lack of clarity in training. And because consequences of bad practice don’t always affect the perpetrator directly, if a person shares a password that then falls into the wrong hands and there’s data theft, the company suffers much more so than the individual.

The other reason stems from users’ own personal experience of IT security and willingness to take risks. If person A trusts person B, there’s little reason in holding back login details if that’s going to mean it takes longer to print that damned file. Both parties are simply taking a risk based on their own perception of security — not the company’s.

Take It To The Employees’ Level

Another respondent in the Insider Threat Peer Report highlighted the importance of communicating in the same language as whom the IT department is training. Joseph Reyes, IT manager at Bellicum Pharmaceuticals, said: “In the biotech industry, executives tend to listen when the conversation is the theft of intellectual property.

“They understand the need for forensics and the ability to find out who did what and when they did it. I think when you can show that an idea can be stolen and that you can get the tools to either watch when that is occurring or identify who did it after it occurred, you become a hero.”

That rule of training people in their own language can apply to any industry and any type of person. Another respondent in the peer report stated that postgraduate students pose a risk because “they have elevated access to systems, but at the same time still behave as students.”

So when you’re training a group of recent graduates, don’t talk to them about password sharing, which could lead to the theft of company data in the cloud. Talk to them about security in terms of not leaving their student house keys around, so they don’t get their laptop and Xbox stolen.

Explain to graduates that while lending front-door keys to a friend is relatively safe if you get those keys back, once you give a password to a colleague, they can access your files whenever they like until you effectively change the locks by changing your password. The more people that know shared sensitive information, the greater the risk that that information is going to leak out somewhere.

Using Technology To Back Up The Training

While companies can improve their training by tailoring language, they also need to make employees more accountable for their actions. Training can reduce the threat of careless employee behaviour, but it doesn’t stop malicious users from working their evil magic. That’s why the IT department needs technology to provide a second line of defence against threats.

With real-time monitoring, risk indicators, policy rules and a complete view of network activity, it’s possible to:

  • Detect suspicious access, and alert users and administrators automatically to anomalies.
  • Manage and secure mobile users, whether they’re on laptops, tablets or smartphones.
  • Restrict and monitor access to sensitive files so employees can only access the files and systems they need.
  • Restrict concurrent logins, eliminating the possible windows in which unauthorised users can access sensitive information.

The resounding message from the Insider Threat Peer Report is that training is key to reducing insider threats. Most organisations have a training process in place to some extent but to make it most effective, tailor it to the employees and make them accountable.

François Amigorena is founder and CEO of IS Decisions, a provider of Infrastructure and Security Management software solutions for Microsoft Windows and Active Directory. IS Decisions offer solutions for user access control, file auditing, server and desktop reporting, and remote installations. Its customers, including the FBI, the United Nations and Barclay’s, rely on IS Decisions to prevent security breaches, ensure compliance with major regulations, such as SOX, FISMA and HIPAA, quickly respond to IT emergencies and gain time and cost-savings for IT.