Security Policies Often Weaken Defense

What’s more, firms are often their own worst enemy. They chronically ignore the human element of security, often relegating efforts to engage employees to the technology-focused, and stereotypically introverted staff members of IT and information security. Instead of elevating the topic of security as an organization-wide endeavor, firms put the unfair burden of protecting their company’s intellectual property on the shoulders of a group who is ill-equipped to grasp the totality of the threat. Technological defense, although important, is only one side of the coin. Putting the responsibility of understanding and mitigating the human threat goes well beyond IT.

Left in the wrong hands, cyber security manifests itself in burdensome and ineffective policy. Take typical password policies, for example. Setting a password policy to lockout after three tries is frustrating for users— and it almost never adds any incremental improvement in security. Making users change their password every 90 days is also folly, as it too fails to measurably improve security. These policies effectively lower a firm's security posture as users resort to writing down their passwords or finding other deleterious workarounds.

And because many security departments are more worried about control than productivity, they don’t consider the unintended consequences of their policies. Disable USB ports? Good move, except now users move often sensitive documents via Google Drive. Disable print drivers? That also seems wise, except now users email documents to unsecured web-connected printers. Forced to choose between disruptive and apparently irrational security directives or getting their job done, workers will find a way to be productive.

Creating Security Habits Strengthens Defense

The key to improving overall security is to elevate the topic to an organization wide initiative, and to balance investment between technology and the education and engagement of the workforce. Pursuit of the imaginary “silver bullet” firewall is daunting in itself, so it’s no wonder firms cannot face the prospect of fundamentally changing peoples' behaviors. And given the relative ineffectiveness of the traditional security awareness programs, it’s understandable why firms have largely ignored the human element.

Understandable, yes, but a grievous mistake. Logically, if insiders are the source of the majority of the breaches, then developing a security acumen among the workforce stands to dramatically reduce an organization’s vulnerability.

Some technologically well-protected firms, like Dow Chemical Co., engage their work force through advanced security awareness programs that focus on targeted education. The most secure of these firms are creating “security habits.” By clearly defining desired behaviors, the firms help workers understand what they need to do, and why. By involving the workers in designing the security policies, the firms generate buy-in and support. Organizations that create the triggers, motivation, and even rewards—for example, recognition for forwarding, but not opening, a suspicious email—establish a secure operating model. If the organization’s leaders encourage employees and also visibly practice the desired behaviors themselves, then security can become a way of life in the workplace.

To Strengthen Security, Start with the “Weakest Link”

In The Art of War, Sun Tzu taught that attackers should "avoid what is strong and…strike at what is weak." This lesson has been well learned by today's cyber attackers, who are ruthlessly efficient in converting employees and corporate partners into unwitting allies. Good, smart workers are conscripted by attackers after being lured into opening an email attachment or following a dangerous link. If we change this paradigm and make our workforce an accountable part of the security solution, we will dramatically improve the defensibility of our firms.