To err is human, to prevent err is IT info-security’s job.
Dealing with the weakest link in the IT security chain – people – has its challenges. But they’re not exclusively or even necessarily technical ones. No info-security team is going to neglect the basics of installing spam filters, firewalls, user access controls and all the other accoutrements it has at its disposal to protect corporate networks and company data.
Info-security groups always have been good at putting in place the technology speed bumps that remind employees to slow down. Those protections sure come in handy when those “moments of mindlessness” take over. That isn’t meant as an insult. It’s just a statement of the fact that everyone, at one time or another, stops thinking, and that’s when bad things can happen that put the organization or its people at risk. Those moments occur in our daily lives – like when we realize we’re not sure what route we just took to the supermarket parking lot – so it shouldn’t be a surprise that it happens in our work lives, too.
Many info-security leaders and their teams need to focus more on creating an environment where the users themselves take greater responsibility for security in those “moments of mindfulness” that characterize most employees’ working days. IT security must empower their co-workers with the information they need to stay safe, encourage their questions and even their criticism, and connect with them on the human level to make the path to a secure workplace an easier one to walk.
Spread the Security Word
There are reasons why it’s challenging to help colleagues become stronger links in the IT security chain. One of them is that creating a workplace of universal participation in security requires conducting an active and unending awareness campaign. Many IT and security leaders have heard before that they need to talk up security, and many of them think they’re doing just that with occasional email reminders about things like not giving out sensitive information to strangers. These items are important yet only part of the solution.
Security needs to promote a security mindset amongst all employees to reduce the “weakest link” factor. When it comes to security awareness, you want to market it to your employees as aggressively as a fast-food franchise going after the toy-hungry kid demographic. You’ve got to make them want security as much as you do – or at least want it enough to change any risky practices they might engage in.
Crafting a stronger security chain starts with building a stronger communication chain with them. This isn’t an area that most info-security people know much about, though, because much of relates to employing some marketing and advertising savvy. And marketing and advertising classes don’t usually go hand-in-hand with a Master of Information Science (MIS) or computer science degree. Security teams may think people will be annoyed by hearing too many messages on the same topic too many times, but marketers and advertisers know that people need to hear things five to nine times before they sink in.
However, what marketers and advertisers also know is that the human species likes variety, entertainment and connection. There are plenty of ways info-security can play to those innate desires, thanks to the multimedia- and socially-rich Web world we live in today.
Many companies are starting their own Facebook-like social and collaborative ecosystems for business purposes, for example. There’s no reason why info-security can’t get involved with those initiatives, using these environments as another forum for getting its messages across.
Leveraging corporate video channels or even posting some clips up on YouTube that employees can be invited to view can be another positive step that drives positive employee behavior. Just make sure it’s not a dry and long security walk-through video, and make sure that’s clear in the invite so that people actually check it out.
Perhaps, for example, present a 3-minute video clip with the top three vulnerability findings of a recent security survey and quick tips about how to avoid falling into each trap. Work with HR to present the videos at employee meetings as well.
Don’t forget other real-world possibilities, too. Loose lips that could have sunk ships during WWII were sealed because of a widely distributed poster cautioning against being a blabbermouth. It doesn’t cost anything to make up a few flyers to post near coffee machines, bathrooms, or conference rooms with similarly pithy “stay-safe” tips. The military calls it OpSec (Operations Security), and it’s just as important for businesses.
In addition to making key points about ensuring IT security in as many ways as possible, another to-do item is to make it easy for employees to get answers to security questions right when they have them. That isn’t usually the result when the road to information requires them to search for and read through online documents on the corporate intranet.
Internal social networks, on the other hand, also can be a very efficient answer here, so put them to work in that way, too. Also, refresh IT security’s presence on the corporate website so that it takes fewer clicks for employees to get the results they want.
In addition to inviting general security questions from co-workers, employees should be encouraged even to question the info-security team’s operations if they see reason to: How effective a security practice is; whether more security efforts are needed in a particular area; or if something has changed in the environment that they should be aware of. That’s just part and parcel of making everyone feel they are involved in security, as they should be.
Encouraging workers to be probing about events that seem even a little unusual takes on even greater urgency, given how great a threat social-engineering attacks present to organizations.
The Social Engineering Capture the Flag (CTF) contest run at Defcon every year makes the threat plain: Contestants spend just half an hour conducting online research about the 15 companies that agree to participate, and then half an hour on the phone with an employee of each organization asking questions in the hope of eliciting private information. Every year, 14 or even all 15 of the companies are considered breached because of the information leaked by their employees.
The reason social engineering hacks are so successful is that most people like to be helpful, and so they’re responsive to a caller who seems friendly and has just enough data to sound legit. I myself have learned not to be surprised at how much information my students are able to get from strangers when I ask them to do a little experiment in elicitation at their local hangout: Just asking someone over a beer what they do for a living can open the floodgates.
In other cases, social engineering hackers use name-dropping and intimidation to squeeze information out of employees. Whatever the approach, IT security leaders need to cultivate a workforce of employees that know enough to question and verify before they disclose anything to unfamiliar sources. Those who feel that curiosity and critical thinking are encouraged by info-security in the workplace are quite likely to be more apt to check their assumptions of authenticity or authority in other circumstances, so that information security stays intact.
Next On The List
Taking these steps to build a more cautious and participatory employee base is great for making the weak human link in the security chain stronger. And it’s even better when that can be backed up with the appropriate application of security technologies and policies – as well as by the authority to see requirements are enforced.
A couple of things to remember on these points is that the technology speed bumps put in place to keep mindless mistakes from happening shouldn’t become roadblocks that make it unnecessarily hard for people to do their jobs. Then it’s easy for them to justify finding ways around the obstacles, with all the implications that has for security.
Also, your processes should be realistic. A bad example sis telling hundreds or thousands of employees not to write down their passwords. That’s a common requirement, but there’s no way IT security actually can police that. Also, the violators are often high-ranking management. A better approach is to have policies that make people responsible for their actions. So, a policy can say that written-down passwords must be kept in a secure place, and that if a breach can be traced back to failure to follow that rule, there will be consequences. To that end, it’s also important that security leaders have the authority to match their responsibility.
There’s one last thing I’d recommend to info-security leaders and their teams: Get out and meet the people in your company. Practice a little social engineering – for good! – on them. Read books about influence and the psychology of persuasion to help them improve their skills in this area.
First, observe co-workers to find something in common with them, whether it’s sports or parenthood or rumba dancing. From there, you’re on your way to doing what every successful social engineer aims for: Making the connection. These simple, low-cost actions will get colleagues on your side, helping you to forge more strong links in what will become a security chain of steel.
This article was previously published in the print edition as "Fixing the Weakest Link in Your Security Chain: People."