Vulnerabilities / Threats

6/18/2018
10:30 AM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Tips for Driving User Buy-in to Security Policies

Teaching users why it's important to commit to security controls is a far more effective strategy than simply demanding that they follow them. Here's how.

IT usage and security policies can be an annoyance for employees who simply see them as draconian roadblocks for their daily activities. With the rise of privacy tools, such as VPNs and privacy-focused web browsers, it's never been easier for users to circumvent organizational controls and, in turn, increase a company's risk profile.

Case in point: A 2018 Insider Threat Intelligence Report from Dtex found that last year 60% of users surveyed were using anonymous or private browsing to bypass company security policies. The report also found that in 91% of assessments, personal email usage was occurring on company machines, which significantly increases the chances of a phishing attack affecting corporate resources. Even the best corporate security policies mean nothing if users don't follow them.

That's why teaching users why it's important to commit to security policies and controls is a far more effective strategy than simply demanding that they follow them. For example, relaxing rules, gamifying education and testing, or simply explaining the "why" behind rules can do a lot to help drive employee acceptance.

By making a few changes in how you implement your security rules, you can make your company more secure. Here are three tips.

Tip 1: Relax Security Rules
As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn't realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.

Tip 2: Engage Users with Meaningful Training
All it takes is one unaware user clicking a malicious link in a phishing email to breach a company. Employee training is a critical part of every security plan, so engaging users with interesting and effective security awareness training programs is crucial. Gamification is also a great way to boost interest and get employees to pay attention to the important information. Changing out the slide deck for a "find the phish" game can help keep users engaged in the content and focused on the ultimate goal. Implementing a points system with a training leaderboard and prizes can encourage employees to pay attention and pass knowledge assessments. 

Tip 3: Explain Why
Security pros have all encountered users who ignore security rules because they don't understand the true implications behind them. Explaining the purpose behind your security policies is vital to bringing these users on board. Instead of simply blocking access to personal email websites, like Gmail or Hotmail, explain the risks these sites pose to the organization when users bypass anti-phishing protections. Demonstrating how easy it is to brute-force short passwords might help them understand why longer passwords are vital. Discussing the actual impact of ransomware can work a lot better than just telling your employees to use network backup locations.

These exercises are equally important for the policy creators. If you can't define a clear "why" for a policy rule, then it probably shouldn't be a rule. It's easy for security professionals to go for the "Fort Knox" approach to security, but different organizations have different threat models. A policy that works great for a Fortune 500 company might not be appropriate for a 12-person shop. Regardless, a little bit of "why" education can go a long way in making users more amenable to new policies.

When it comes to security, the goal should not be to create absolute security, but to be as secure as possible given the demands of the business model and the user group you have to work with. The best security plan is one that everyone can get on board with, and that doesn't have to be difficult to achieve.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
7/23/2018 | 1:41:25 AM
Re: Rules are created for betterment
I personally don't think that there are very many companies or employees who enjoy having security protocol, but hopefully they understand the necessity of the framework being in place. At the end of the day, all of these measures are put in and implemented in order to safeguard the information inside the company or even just to protect user and customer data. Surely these people can see that there is merit in protecting that if they put themselves in the customer's shoes...
dwayne22
50%
50%
dwayne22,
User Rank: Apprentice
7/5/2018 | 3:18:38 AM
Rules are created for betterment
The rules are created for betterment they should be followed and especially the security policies but still, they use VPNs and personal email to access other websites because of that it's really not easy for users to circumvent organizational controls. There should a rule for using VPN in the USA and also for other countries. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1265
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740.
CVE-2017-1272
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 124747. IBM X-Force ID: 124747.
CVE-2017-1597
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 132610.
CVE-2018-1889
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080.
CVE-2018-1891
PUBLISHED: 2018-12-17
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082.