Getting employees invested: Overcoming complacency to emphasize security

There’s no denying last year was chaotic. We had to navigate major social unrest, a divisive presidential election and of course, a global pandemic. To make matters worse, cybercriminals took advantage of people working remotely and spending more time online and ramped up their attacks.

With all of the chaos and turmoil, it would be easy for people to just throw up their hands and forget about smart security practices within the enterprise. In fact, it seems like that’s what a lot of folks did. As security professionals, our job is to thwart hackers by combining systemic safeguards with teams empowered to make sound decisions. With vaccinations rolling out and many people returning to the office, now is an opportunity to reinforce the importance of security hygiene and build a security structure and culture where your employees are invested in making better choices.

To do this, we first have to understand the psychology behind human decision-making. Many clinicians break thinking into two segments. The first segment houses our immediate reactions, or what many people would refer to as your instinct. These are thoughts that occur automatically with very little effort. The second segment is more complicated and requires our brains to concentrate and solve problems.

Building strong security habits requires a combination of both modes of thought because people’s first instincts may not lead to the best choices, nor can every person be an expert on every best practice. Instead employees need the encouragement to stop and use their critical thinking skills to make smart decisions that become instinctual. In other words, your colleagues need to understand the importance of their security choices and actively participate in the process. If users are given the idea that protecting the enterprise falls solely on their employer, they are far more likely to be complacent, make bad choices and ultimately open themselves and their organizations to an attack.

In the cyber realm, password security is a great example. Many users' first instinct is to choose something easy to remember or something they’ve used before, which means it may be easy for criminals to crack. To make matters worse, they often use that password across multiple accounts, creating avenues for credential stuffing attacks and account takeovers. Some companies offer password managers to encourage the use of long, complex and unique passwords, but password managers aren’t foolproof. They are only as strong as the user’s master password. If your team members never get into the habit of choosing strong, unique, 16+ character passwords in the first place, a password manager is going to do little to mitigate risk.

Part of the challenge with getting users to set strong passwords – or take other security precautions for that matter – is that they think their companies have them protected with firewalls and proactive network monitoring. While businesses should take those precautions, they aren’t the be-all-end-all. Just because you know your bank has your money locked in the vault, it doesn’t mean you aren’t going to put a PIN code on your debit card.

This principle can also be applied to a major problem born out of the pandemic. Researchers reported an overlap last year in the personal and corporate data collected from botnet logs (the outputs of keylogger malware infections), showing that people are increasingly using company devices for personal business, and logging into company accounts from their personal phones and laptops. Because keyloggers capture plaintext credentials and the URLs they are associated with, they may enable cybercriminals to access company networks and steal information while evading detection. Since many employers plan to still allow employees to work-from-home at least part time, it’s important to address this issue head on. While you can require employees to use a virtual private network (VPN) and install anti-virus and anti-malware software, ultimately your employees are responsible for keeping their devices separate. They need to understand why it matters.

One way to do this is education. Security is complex, and new threats emerge all the time. Shedding light for your team on the frequency and gravity of these increased threats can drive home the point that employees need to protect themselves both at work and at home. With cybersecurity training, phishing awareness training and learning how to spot social engineering emails can help keep company data safe, and also gives your employees the skills they need to keep their own personal information from falling into hackers’ hands.

After you’ve established an ongoing literacy and training program, think about ways to reward your team for making good security decisions. Researchers have figured out that positive feedback motivates people to act far more than any perceived threats. So, consider implementing some type of recognition system. It can be as simple as sending a positive email when an employee reports a suspicious link, or implementing a cybersecurity leaderboard to add a little friendly competition. Small daily or even weekly touchpoints like this contribute to the idea that every single team member is equally responsible for keeping the enterprise secure.

Your employees are the key to smarter security. Whether your team is staying fully remote or moving back to the office, we’re in a unique time where everyone is once again adjusting to a ‘new normal.’ Take advantage of this transition to re-establish company security rules and build them into your culture so that every employee is invested. Who knows? Maybe empowering people to make better security choices will help them feel a greater sense of control during the chaos and keep their enterprises safer at the same time.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.