by Hank Berkley
Contributing editor

Previous entries here have focused on technical and process driven security measures. These are the backbone of information security – but they often overlook the low-hanging fruit – the people. Not the IT team, but the office workers and the laborers on the shop floor. Because they don’t write computer code or have access to your company’s key data, they are often overlooked. But these are precisely the people who may be pose the greatest danger.

There is a reason why senior citizens are victims of internet scams more than their younger proteges. Many seniors don’t understand the technology or possibilities for fraud that arise from newer technologies*. A similar vulnerability exists in companies in which employees don’t recognize risks and responsibilities. We require that users have a complicated password. That makes it harder to do their job, so they write it down and stick it under their keyboard. They are following our rules – but without understanding what is behind those rules they inadvertently subvert the benefits. These are not people with bad intentions. They are misguided.

If you give a trusted employee a master key to your offices, it is not very likely that the person will share that key with anyone. Most people can understand the physical functionality of a key. But that same person might not give a second thought to emailing his credit card to a friend because he doesn’t recognize the risk. We can try to scare people every quarter with security awareness training, but over time that becomes ineffective if we are not making them understand their individual roles in protecting your organization. In other words, they need to understand the “why” behind your security rules.

The goal is not to make a security expert out of a long-haul trucker, but rather to have him understand that your password changing policy is not in place to make his job harder, but to protect his personal data and that of the company in case he used the same password on another site and it was breached. Will this guarantee compliance with company policies? Absolutely not. But people behave more rationally when they (a) understand why something is being asked of them and (b) when they feel that they are a part of a solution.

If you were told that adding the requirement of a symbol to a password (in addition to upper and lowercase letters and digits) made it 10 times harder to guess, wouldn’t that lower your annoyance at following what previously appeared to be a random rule? If you knew that a computer could guess an 8-character password in 10 days, but it would take a year to guess a 9-character password, wouldn’t you consider using one more?**

In 2016 AT&T embarked on a year-long internal campaign called “You are the Firewall” in which they explained to ALL of their employees that the information security people were never going to be perfect. It would take the effort of everyone to protect the assets of the organization. Not only did they share honest information in layman’s terminology, but they setup a way for employees to get questions answered without feeling overwhelmed or made to feel dumb. All indications are that the program was well received and even appreciated by employees who, presumably, made better choices everyday when faced with potential security issues.

Even the way the security training is presented can make a difference. If it is simply another required training it could become just another checkbox for an employee. But if it is presented as free (but required) training that could help them at work AND with their personal internet security, it will be more respected.

The implementation of this concept will vary from one organization to the next but considering that people are at the root of most information security issues, this is a great place to start investing.

* A recent study showed that only 3% of 18-29 year-olds shared on the internet “fake news” articles, the number was 11% for those over 65. More can be found here.

** If you want to understand more about password security, Jason Sherrill wrote a great piece that can be found here.


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Reply

Your email address will not be published. Required fields are marked *