Vulnerabilities / Threats

6/18/2018
10:30 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Tips for Driving User Buy-in to Security Policies

Teaching users why it's important to commit to security controls is a far more effective strategy than simply demanding that they follow them. Here's how.

IT usage and security policies can be an annoyance for employees who simply see them as draconian roadblocks for their daily activities. With the rise of privacy tools, such as VPNs and privacy-focused web browsers, it's never been easier for users to circumvent organizational controls and, in turn, increase a company's risk profile.

Case in point: A 2018 Insider Threat Intelligence Report from Dtex found that last year 60% of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in 91% of assessments, personal email usage was occurring on company machines, which significantly increases the chances of a phishing attack affecting corporate resources. Even the best corporate security policies mean nothing if users don't follow them.

That's why teaching users why it's important to commit to security policies and controls is a far more effective strategy than simply demanding that they follow them. For example, relaxing rules, gamifying education and testing, or simply explaining the "why" behind rules can do a lot to help drive employee acceptance.

By making a few changes in how you implement your security rules, you can make your company more secure. Here are three tips.

Tip 1: Relax Security Rules
As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn't realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.

Tip 2: Engage Users with Meaningful Training
All it takes is one unaware user clicking a malicious link in a phishing email to breach a company. Employee training is a critical part of every security plan, so engaging users with interesting and effective security awareness training programs is crucial. Gamification is also a great way to boost interest and get employees to pay attention to the important information. Changing out the slide deck for a "find the phish" game can help keep users engaged in the content and focused on the ultimate goal. Implementing a points system with a training leaderboard and prizes can encourage employees to pay attention and pass knowledge assessments. 

Tip 3: Explain Why
Security pros have all encountered users who ignore security rules because they don't understand the true implications behind them. Explaining the purpose behind your security policies is vital to bringing these users on board. Instead of simply blocking access to personal email websites, like Gmail or Hotmail, explain the risks these sites pose to the organization when users bypass anti-phishing protections. Demonstrating how easy it is to brute-force short passwords might help them understand why longer passwords are vital. Discussing the actual impact of ransomware can work a lot better than just telling your employees to use network backup locations.

These exercises are equally important for the policy creators. If you can't define a clear "why" for a policy rule, then it probably shouldn't be a rule. It's easy for security professionals to go for the "Fort Knox" approach to security, but different organizations have different threat models. A policy that works great for a Fortune 500 company might not be appropriate for a 12-person shop. Regardless, a little bit of "why" education can go a long way in making users more amenable to new policies.

When it comes to security, the goal should not be to create absolute security, but to be as secure as possible given the demands of the business model and the user group you have to work with. The best security plan is one that everyone can get on board with, and that doesn't have to be difficult to achieve.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/23/2018 | 1:41:25 AM
Re: Rules are created for betterment
I personally don't think that there are very many companies or employees who enjoy having security protocol, but hopefully they understand the necessity of the framework being in place. At the end of the day, all of these measures are put in and implemented in order to safeguard the information inside the company or even just to protect user and customer data. Surely these people can see that there is merit in protecting that if they put themselves in the customer's shoes...
dwayne22
50%
50%
dwayne22,
User Rank: Apprentice
7/5/2018 | 3:18:38 AM
Rules are created for betterment
The rules are created for betterment they should be followed and especially the security policies but still, they use VPNs and personal email to access other websites because of that it's really not easy for users to circumvent organizational controls. There should a rule for using VPN in the USA and also for other countries. 
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...